UNCLASSIFIED 


_ AD  NUMBER _ 

AD458456 

LIMITATION  CHANGES 
TO: 

Approved  for  public  release;  distribution  is 
unlimited. 


FROM: 

Distribution  authorized  to  U.S.  Gov't,  agencies 
and  their  contractors ; 

Administrative/Operational  Use;  JAN  1965.  Other 
requests  shall  be  referred  to  Air  Force  Systems 
Command,  Andrews  AFB,  MD . 


_ AUTHORITY 

AFSC  Itr,  26  Apr  1971 


THIS  PAGE  IS  UNCLASSIFIED 


UNCLASSIFIED 


ARMED  SERVICES  TECHNICAL  INFORMATION  AGENCY 
ARLINGTON  HALL  STATION 
ARLINGTON  12,  VIRGINIA 


NOTICE:  When  government  or  other  drawings,  speci¬ 
fications  or  other  data  are  used  for  any  purpose 
other  than  in  connection  with  a  definitely  related 
government  procurement  operation,  the  U.  S» 
Government  thereby  incurs  no  responsibility,  nor  any 
obligation  whatsoever]  and  the  fact  that  the  Govern¬ 
ment  may  have  formulated,  furnished,  or  in  any  way 
supplied  the  said  drawings,  specifications,  or  other 
data  is  not  to  be  regarded  by  implication  or  other¬ 
wise  as  in  any  manner  licensing  the  holder  or  any 
other  person  or  corporation,  or  conveying  any  rights 
or  permission  to  manufacture,  use  or  sell  any 
patented  Invention  that  may  in  any  way  be  related 

thereto. 


this  document  is  best 

QUALITY  AVAILABLE.  THE  COPY 
FURNISHED  TO  DTIC  CONTAINED 
A  SIGNIFICANT  NUMBER  OF 
PAGES  WHICH  DO  NOT 
REPRODUCE  LEGIBLY. 


'  ■SC  FR-  65-2  Vol  III 


.1  :  !■  i  •  i  :  i  r  !■;. 


(  .AC) 


<)  MR  '  l-  .  :.N 
If  A  1  SI.’  I'I’I  A  E  N  I') 


■  L'  in  Command 
M  i  )  i  c\  nd 


DUC 

-r^rpnn  n 


t  LD  f-  u 


0DC4RA  B 


* 


AVAILABILITY  NOTICE 


Qualified  users  may  obtain  copies  of  this 
report  from  the  Defense  Documentation  Center 
(DDC),  Cameron  Station,  Alexandria,  Virginia, 
22314. 


This  report  has  been  released  to  the  Office  of  I 

Technical  Services,  U.  S.  Department  of  Commerce,  j 
Washington  25,  D.  C. ,  for  sale  to  the  general  public.  £ 


ERRATTA 


B  March  £6 


FINAL  REPORTS  OF  THE 

VfFAPON  SYSTFM  EFFECTIVENESS  INDUSTRY  ADVISORY  COMMITTEE  (WSEIAC) 


AFSC-TR-AS'-I 
AFSC-TR-^-?  (Vole 
AFSC-TR-^-3 
AFSC-TR-^-li  (Vole 


I,  II  h  HI) 


I  Kr  III) 


(Note!  Thin  Errata  sheet  applies  to  each  of  the  above  reports.) 


Tho  AVAIJARILTTY  NOTICE  appearing  on  the  in¬ 
side  of  the  front  cover  and  on  tho  DD  Form  1)j73 
(Block  10)  in  revised  to  road: 

"Qualified  users  may  obtain  copies  of 
this  report  from  the  Defense  Documentation 
Center  (DDC),  Cameron  Station,  Alexandria, 
Virginia  2231U.  Defenso  Documentation 
Center  release  to  the  Office  of  Technical 
Services  is  not  authorized," 


WEAPON  SYSTEM  EFFECTIVENESS 
INDUSTRY  ADVISORY  COMMITTEE  (WSEIAC) 

FINAL  REPORT 
of 

TASK  GROUP  II 


PREDICTION  -  MEASUREMENT 
(TECHNICAL  SUPPLEMENT) 


FOREWORD 


This  is  Volume  III  of  the  final  report  of  Task  Group  II  of  the  Weapon 
System  Effectiveness  Industry  Advisory  Committee  (WSEIAC).  it  is  sub¬ 
mitted  to  the  Commander,  AFSC,  in  partial  fulfillment  of  Task  Group  II 
objectives  cited  in  the  committee  Charter.  The  final  report  is  contained  in 
three  separate  volumes: 

Volume  I  contains  an  overview  of  Task  Group  II  findings, 
including  a  summary  of  Volumes  II  and  III,  conclusions, 
and  recommendations. 


Volume  II  contains  a  discussion  of  effectiveness  concepts, 
a  description  of  specific  tasks  required  to  evaluate  effec¬ 
tiveness,  and  a  detailed  example  illustrating  the  method. 

Volume  III  contains  descriptions  of  effectiveness  analysis 
methods  applied  to  four  typical  Air  Force  systems  using 
the  techniques  described  in  Volume  II. 


The  membership  of  Task  Group  II  was  as  follows: 


Mr.  D.  F.  Barber  (Chairman) 

Mr.  I.  Bosinoff 

Mr.  I.  Doshay 

Dr.  B.  J.  Flehinger 

Mr.  W.  Haigler 

Mr.  H.  J.  Kennedy 

Mr.  C.  R.  Knight  ( Technical 

Director) 

Mr.  A.  J.  Monroe 
Mr.  M.  H.  Saunders 
Mr.  M.  M.  Tall 
Mr.  H.  D.  Voegtlen 


RADC  (EMER) 

Sylvania  Electronics  System  Division 
Space  General  Corporation 
IBM  -  Thomas  J.  Watson  Research 
Laboratories 

Rocketdyne  -  Division  of  North 
American  Aviation,  Inc. 

ARINC  Research  Corporation 
ARINC  Research  Corporation 

TRW  Space  Technology  Laboratories 
OOAMA  (OONEW) 

Radio  Corporation  of  America 
Hughes  Aircraft  Company 


Other  task  group  reports  submitted  in  fulfillment  of  the  committee's 
objectives  are: 

AFSC-TR-65-1  Final  Report  of  Task  Group  I 

"Requirements  Methodology" 

AFSC-TR-65-3  Final  Report  of  Task  Group  III 

"Data  Collection  and  Management  Reports" 


AFSC-TR-65-4 


Final  Report  of  Task  Group  IV 
"Cost  Effectiveness  Optimization" 

AFSC-TR-65-5  Final  Report  of  Task  Group  V 
"Management  Systems" 

AFSC-TR-65-6  Final  Summary  R eport 

"Chairman's  Final  Report" 

Publication  of  this  report  does  not  constitute  Air  Force  approval  of  the 
report's  findings  or  conclusions.  It  is  published  only  for  the  exchange  and 
stimulation  of  ideas. 


APPROVED 

ft  l i,  '  /  ,  /  j/  -  ( ^  ‘  '  - '  /  L 

William  F.  Stevens,  Colonel,  USAF 
Chief,  Systems  Effectiveness  Division 
Directorate  of  Systems  Policy 
DCS  Systems 


4 


WSELA.C  CHARTER 


In  order  that  this  report  of  Task  Group  II  may  be  studied  in  context  with 
the  entire  committee  effort.,  the  purpose  and  task  group  objectives  as  stated 
in  the  WSELA.C  Charter  are  listed  below: 

Purpose 

The  purpose  of  the  Weapon  System  Effectiveness  Industry  Advisory 
Committee  is  to  provide  technical  guidance  and  assistance  to  AFSC  in  the 
development  of  a  technique  to  apprise  managemert  of  current  and  predicted 
weapon  system  effectiveness  at  all  phases  of  weapon  system  life. 

Task  Group  Objectives  / 

Task  Group  I  -  Review  present  procedures  being  used  to  establish  system 
effectiveness  requirements  and  recommend  a  method  for  arriving  at  require¬ 
ments  that  are  mission  responsive. 

Task  Group  II  -  Review  existing  documents  and  recommend  uniform  methods 
and  procedures  to  be  applied  in  predicting  and  measuring  systems  effective¬ 
ness  during  all  phases  of  a  weapon  system  program. 

Task  Group  III  -  Revie'  ormat  and  engineering  data  content  of  existing 
system  effectiveness  reports  and  recommend  uniform  procedures  for 
periodically  reporting  weapon  system  status  to  assist  all  levels  of  manage¬ 
ment  in  arriving  at  program  decisions. 

Task  Group  IV-  Develop  a  basic  set  of  instructions  and  procedures  for 
conducting  an  analysis  for  system  optimization  considering  effectiveness, 
time  schedules,  and  funding. 

Task  Group  V  -  Review  current  policies  and  procedures  of  other  Air  Force 
commands  and  develop  a  framework  for  standardizing  management  visibility 
procedures  throughout  all  Air  Force  commands. 


IV 


ABSTRACT 


This  Technical  Supplement  is  concerned  primarily  with  four  examples  of 
effectiveness  evaluations.  The  systems  involved  are:  The  avionics  system 
in  a  tactical  fighter -bomber  {Example  A);  a  squadron  of  intercontinental 
ballistic  missiles  (Example  B);  a  fixed  radar  surveillance  and  threat 
evaluation  system  (Example  C);  and,  a  spacecraft  system  (Example  D). 

In  addition  to  the  variety  of  system  types  included,  an  attempt  has  been 
made  to  illustrate  procedures  employed  at  different  phases  of  development. 
The  evaluation  of  the  Avionics  system  takes  place  during  Program 
Definition;  the  ICBM  squadron,  during  Operation;  the  Radar  system,  during 
Definition  and  Operation;  and,  the  Spacecraft,  during  Acquisition.  Since 
evaluation  during  the  Conceptual  phase  will  generally  be  based  on  a  gross 
comparison  with  existing,  similar  systems,  it  was  not  felt  that  an  example 
of  such  an  analysis  was  necessary.  Further,  each  example  is  intended  to 
illustrate  to  a  different  level  of  detail,  various  aspects  of  tl  *  evaluation. 

The  avionics  system  example,  for  instance,  shows  the  possibility  of  com¬ 
bining  independent  evaluations  of  several  subsystems.  The  radar  example 
shows  simplifications  which  can  be  made  in  order  to  minimize  the  number  of 
system  states  to  be  considered.  Ir.  the  ICBM  example,  illustrations  of  mary 
of  the  detailed  procedures  required  to  evaluate  components  of  the  vectors 
and  matrices  are  shown.  Finally,  the  spacecraft  example  addresses  itself 
to  techniques  for  determining  elements  of  the  Dependability  matrix.  It  is 
stressed,  however,  that  these  examples  do  not  purport  to  illustrate  all 
possible  methods  of  application  and  use  of  the  evaluation  procedures. 

Rather  they  are  intended  to  show  some  methods  for  applying  the  concepts, 
areas  of  flexibility  in  their  application,  and  some  uses  which  might  be  made 
of  the  evaluations. 


TABLE  OF  CONTENTS 


Page 

FOREWORD  iii 

ABSTRACT  vi 

ILLUSTRATIONS  AND  TABLES  (SEE  EXAMPLES) 

SECTION  I  -  INTRODUCTION  .  1 

SECTION  II  -  EXAMPLES  OF  SYSTEM  EFFECTIVENESS 

EVALUATION  .  4 

EXAMPLE  A  -  AIRBORNE  AVIONICS  SYSTEM .  5 

EXAMPLE  B  -  INTERCONTINENTAL  BALLISTIC  MISSILE 

SQUADRON .  58 

EXAMPLE  C  -  RADAR  SURVEILLANCE  SYSTEM  . 233 

EXAMPLE  D  -  SPACECRAFT  SYSTEM  DEPENDABILITY  ....  281 

APPENDIXES  (SUPPLEMENTARY  TECHNICAL  DOCUMENTS) 

I.  A  Model  Framework  for  System  Effectiveness . 352 

II.  Concepts  and  Models  of  System  Effectiveness  . 373 

BIBLIOGRAPHY  . 415 


SECTION  I 


INTRODUCTION 
Resume  of  Task  Group  II  Effort 

In  Volume  II  of  the  final  report  of  Task  Group  II,  Weapon  System 
Effectiveness  Industry  Advisory  Committee,  a  discussion  of  the  concept  of 
System  Effectiveness  was  presented.  In  addition,  a  mathematical  model  to 
facilitate  the  evaluation  of  Effectiveness  was  proposed;  the  tasks  to  be 
accomplished  in  using  the  model  were  delineated  and  discussed;  and  a 
tutorial  example  showing  the  application  of  the  procedures  to  a  radar 
system  was  presented. 

It  was  appreciated  by  members  of  Task  Group  II  that  Effectiveness 
evaluation  for  large  weapon  systems  is  a  complex  task,  subject  to  many 
variations  in  detailed  procedures  depending  upon  the  system  type,  available 
information /data.  ?..id  the  stage  of  development.  In  order  to  provide  a  pre¬ 
liminary  analysis  of  the  utility  of  the  methods  propc  sed.  Task  Group  II 
applied  the  procedures  in  evaluating  the  Effectiveness  of  several  hypothe¬ 
tical  systems.  While  these  exercises  cannot  be  considered  to  have  raised 
and  answered  all  questions  that  will  occur  during  actual  evaluations,  they  do 
suggest  some  areas  of  difficulty  and  types  of  solutions  applicable. 

Aside  from  providing  a  preliminary  evaluation  of  the  proposed  proce¬ 
dures,  it  was  felt  that  presentation  of  these  examples  would  provide  the 
reader  with  additional  comment  on  the  application  of  the  techniques.  For 
this  reason,  they  are  discussed  at  some  length  in  SECTION  II  of  this 
Technical  Supplement. 

In  addition  to  the  examples,  this  supplement  also  contains  two  technical 
papers  not  generally  available,  yet  of  interest  to  personnel  concerned  with 
Effectiveness  evaluation.  These  papers  co  rise  the  two  appendixes  to  this 
supplement. 

Finally,  a  tabulation  of  data  sources  which  may  be  employed  in  the 
analysis  of  System  Effectiveness  is  included  as  a  BIBLIOGRAPHY. 

The  following  paragraphs  present  an  analytical  framework  common  to 


1 


the  treatment  of  the  four  examples. 
Mathematical  Framework 


The  specific,  basic,  analytical  model  proposed  by  Task  Group  II  in  its 
symbolic  form  is 

E  =  a'  Id  u 

where 

E  =  System  Effectiveness,  is  a.measure  of  the  extent  to  which  a  system 
may  be  expected  to  achieve  a  set  of  specific  mission  requirements 
and  is  a  function  of  availability,  dependability,  and  capability. 

I 

~K  =  Availability,  is  a  measure  of  the  system  condition  at  the  start  of  a 
mission  and  is  a  function  of  the  relationships  among  hardware, 
personnel,  and  procedures. 

j  D*|  =  Dependability,  is  a  quantitative  measure  of  the  system  condition  at 

~  "  one  or  more  points  during  the  mission,  given  the  system  con¬ 
dition^)  at  the  start  of  the  mission,  and  may  be  stated  as  the 
probability  (or  probabilities  or  other  suitable  mission  oriented 
measure)  that  the  system  will  enter  and/or  occupy  any  one  of  its 
significant  states  during  a  specified  mission. 

TT  =  Capability,  is  a  measure  of  the  ability  of  a  system  to  achieve  the 
mission  objectives,  given  the  system  condition(s)  during  the 
mission,  and  specifically  accounts  for  the.  performance  spectrum 
of  a  system. 

This  basic  framework  is  not  intended  to  be  restrictive.  This  point  is 
illustrated  in  the  radar,  detection  and  tracking  example  of  Volume  II  where 
the  following  variations  on  the  basic  model  are  illustrated: 

EL  =  a'  C(0) 

E2  =  A  ^(0)  D(30)  ~C{  30) 


In  the  first  variation,  the  system  effectiveness  (E^)  is  defined  to  be  the  pro¬ 
bability  that  the  radar  will  adequately  perform  initial  detection  of  the  target. 
In  this  ca^e  the  dependability  matrix  reduces  to  unity  since  "mission 
duration"  is  measured  from  the  point  of  initial  detection,  and  applies  to 
detection  capability  only  (denoted  by  C(0).  In  the  second  variation, 


? 


the  system  effectiveness  (E^)  *s  ^e^ne<^  to  be  the  probability  of  initial 
detection  and  track  for  a  period  of  thirty  minutes.  In  this  case  the 


elements  of  the  detection  capability  vector  "C(O)  become  the  elements  of  a 


capability  matrix  C  [C(0)1  The  original  availability  vector  and  this  new 
capability  matrix  C  [C(0)j  are  now  multiplicatively  combined  with  a  depend¬ 
ability  matrix  [d(30)]  and  a  new  capability  vector  C(0)  which  express  the 
tracking  capability  of  the  radar  for  a  period  of  thirty  minutes.  In  the  final 
variation;  the  system  effectiveness  (E^)  is  defined  to  be  the  probability  of 
successful  track;  given  initial  detection.  This  conditional  measure  is  the 
ratio  of  the  two  previously  treated  variations. 


The  intended  flexibility  of  approach  is  further  illustrated  in  the  avionics 
example,  which  is  Example  A  of  this  Technical  Supplement,  where  the 
following  series  of  effectiveness  measures  are  illustrated. 


e!i}  =  A1,  [d]  . c ^ 

3  3  L  1  3  3 

E(l)  =  .it.  e!1* 

J=i  3 


m 


(i) 


The  first  measure  E^  treats  the  effectiveness  of  the  system  function  or 
«  « til  ^ 

subsystem  in  the  i  mode  of  operation  in  terms  of  the  basic  analytical 
model.  The  system  effectiveness  in  the  i^  mode  of  operation  (E^*  )  is  then 
treated  as  the  continued  product  of  the  E.1  over  the  k  subsystems  (or 
functions)  that  collectively  define  the  avionics  system.  Finally,  the  net 
effectiveness  of  the  entire  avionics  system  (E)  is  the  sum  of  the  effectiveness 
of  the  system  in  each  of  its  modes  of  operation  E^  multiplied  by  the 
probability  of  utilizing  that  mode  of  system  operation,  where  m  is  the 
number  of  modes  of  operation. 


The  common  elements  in  these  variations  are  availability,  dependability, 
and  capability.  The  precise  manner  in  which  they  combine  depends  wholly 
upon  the  specific  definition  of  system  effectiveness  which  is  to  be  considered. 


3 


I 


SECTION  II 

EXAMPLES  OF  SYSTEM  EFFECTIVENESS  EVALUATION 

This  section  consists  of  four  examples  of  effectiveness  evaluation. 

The  examples  relate  to  the  following  systems: 

Example  A  -  the  avionics  system  in  a  tactical  fighter -bomber 

Exampie  B  -  a  squadron  of  intercontinental  ballistic  missiles 

Example  C  -  a  fixed  radar  surveillance  and  threat  evaluation  system 

Example  D  -  a  spacecraft  system 

As  stated  previously  in  the  Abstract,  each  example  illustrates,  to  a 
different  level  of  detail,  various  aspects  of  the  evaluation. 

The  examples  do  not  presume  to  illustrate  all  possible  methods  of 
application  and  use  of  the  evaluation  procedures.  It  is  the  intent  of  the 
examples,  however,  to  show  some  methods  for  applying  the  concepts,  areas 
of  flexibility  in  their  application,  and  some  uses  which  could  be  made  of  the 
evaluations. 


4 


EXAMPLE  A 

AIRBORNE  AVIONICS  SYSTEM 


5 


TABLE  OF  CONTENTS 


Page 


I--.-  INTRODUCTION  AND  .-.SUMMARY.  .  ........  . .  8 

II.  EFFECTIVENESS  ESTIMATION  .  9 

1.0  Mission  Definition . ,. .  9 

2.0  System  Description .  9 

2.1  General  Configuration  .  9 

2.2  Block  Diagram .  12 

2.3  Mission  Profile  . . .  12 

2.4  Delineation  of  Mission  Outcomes  .  12 

3.0  Specification  of  Figure s-of -Merit  .  . .  16 

l+.O  Identification  of  Accountable  Factors .  17 

4.1  Tabulation  of  F’actors .  17 

4.2  Discussion  of  Factors .  18 

5.0  Model  Construction .  20 

5.1  Delineation  of  System  States  .  20 

5.2  Operational  Considerations  and  Equipment  Usage  ...  21 

5.3  System  Model .  22 

6.0  Data  Acquisition .  23 

7.0  Parameter  Estimation  .  24 

7.1  Basic  Equipment  Characteristics  .  24 

7.2  Determination  of  Availability  .  27 

7-3  Determination  of  Dependability  .  30 

7.4  Determination  of  Capability  .  32 

8.0  Model  Exercise .  41 

8.1  Effectiveness  of  Individual  Functions .  41 

8.2  Effectiveness  for  Individual  Mission  Itypes  ....  49 

8.3  Overall  System  Effectiveness  .  49 

8.4  Applicst"u  1  of  Model  Results .  51 


6 


ILLUSTRATIONS 

Figure  Page 

___1 _ System  Block  Diagram .  13 

2  Mission  Profile  and.  Periods  During  Which  Use  of 

Each  Equipment  is  Desired .  14 

3  Number  of  Systems  (ll)  Required  to  Provide  Assurance  (f) 
of  Mission  Accomplishment  as  a  Function  of 

System  Effectiveness  (S)  52 

k  Influence  or,  System  Effectiveness  of  Variation  in 

Mean-Times -Betareen-Failure  for  Each  Equipment .  55 

5  Influence  on  System  Effectiveness  of  Variation  in 

Mean -Down-Times  for  Each  Equipment  .  56 

TABLES 

Table  Page 

I  Reliability,  Maintainability,  and  State  Readiness  Indices  .  .  26 

II  Navigation  System  States  .  28 

III  Blind-TossSystem  States .  29 

IV  Probabilities  of  Launch .  31 

V  Equipment  Transition  Probabilities  .  33 

VI  Navigation  Equipment  Capabilities  .  35 

VII  Delivery  Capabilities  by  Mode  and  State .  40 


7 


I.  INTRODUCTION  AND  SUMMARY 

This  example  shows  the  application  of  the  expression 
E  =  a|_dJc 

to  the  avionics  system  of  a  tactical  fighter-bomber  aircraft. 
The  evaluation  proceeds  by  performing  the  analyses  outlined 
in  the  eight-step  task  analysis  ,  VOLUME  II. 

The  evaluation  is  made  in  this  example  by  determining 
the  Effectiveness  of  each  of  several  functions  of  the 
avionics  system  for  each  of  three  mission  types.  These 
figures  are  then  combined  to  provide  an  indication  of  the 
overall  Effectiveness  of  the  system. 

A  computer  program  was  written  for  the  model  so  that 
parameter  variation  was  feasible.  Curves  showing  the 
influences  on  Effectiveness  of  variations  in  basic  reli¬ 
ability  and  maintainability  characteristics  of  the  several 
equipments  are  shown.  A  relationship  is  also  shown  between 
the  required  number  of  systems  to  provide  assurance  of 
mission  accomplishment  and  the  effectiveness  of  the  system. 


8 


f 


II.  EFFECTIVENESS  ESTIMATION 

* 

1  1.0  Mission  Definition 

At  any  random  time  when  an  execution  order  is  received, 
the  aircraft  shall  take  off  immediately,  receive  a  target 
assignment,  proceed  to  target  area,  deliver  weapon  within 
500  feet  of  target,  and  return  to  assigned  operating  base. 

2.0  System  Description 

2.1  General  Configuration 

The  system  being  considered  consists  of  three  major 
subsystems  which  are,  where  appropriate,  sub-divided  into 
equipments . 

a.  Fire  Control  Subsystem 

1 

1.  Radar  (Search  and  Terrain  Avoidance  functions) 

2.  Toss-bomb  Computer 

3.  Sight  System 

b.  Doppler  Navigator 

The  Doppler  Navigator  in  this  example  is  considered 

to  be  a  single  equipment. 


9 


t 


Communication-Identification-Navigation  (CIN) 


c . 


1. 

UHF  direction  finder 

2. 

Tacan 

3. 

Instrument  Landing  System  (ILS) 

4. 

UHF  transmitter 

-receiver 

5. 

Identification 

equipment 

6 . 

Audio  amplifier 

equipment 

The  equipments  itemized  are  independent  of  each  other,  i.e., 
the  condition  of  any  equipment  does  not  influence  the  con¬ 
dition  of  any  other . 

2.1.1  Functions  of  Equipments 

The  Fire  Control  Subsystem  is  employed  in  actual  weapon 
delivery.  It  provides  a  radar  display  of  the  target  and  com¬ 
putation  of  weapon  release  point  in  the  toss-bombing  mode. 

It  also  provides,  through  the  Sight  System,  the  aiming  point 
for  "lay-down"  delivery. 

In  addition,  the  "terrain  avoidance"  feature  of  the  radar 
provides  automatic  control  of  the  aircraft  so  that  high  speed, 
low  level  target  approaches  are  possible.  To  simplify  the 
example,  it  will  be  assumed  that  the  equipment  required  for 
the  terrain  avoidance  function  is  separate  from  that  required 
for  the  bombing  function. 


10 


The  Doppler  Navigator  provides  the  prime  navigation 
function  by  computing  and  displaying  information  on  both 
present  position  and  distance/heading  to  target.  Alternate 
navigation  procedures  are  provided  by  the  Tacan  and  the  UHF 
Direction  Finder.  Each  of  these,  however,  requires  ground 
station  facilities.  If  ground  station  transmitters  are  avail¬ 
able,  operating  and  within  range,  the  Tacan  provides  distance 
and  bearing  information,  while  the  Direction  Finder  provides 
bearing  data  only. 

The  Instrument  Landing  System  (ILS)  provides  the  ability 
to  land  the  aircraft  under  ceiling  and  visibility  conditions 
which  would  otherwise  prevent  landing. 

The  UHF  transmitter-receiver  is  the  only  radio  communica¬ 
tion  device,  and  is  employed  for  all  in-flight  radio  communi¬ 
cation.  For  the  mission  being  considered,  the  essential 
communication  function  is  that  of  receiving  and  acknowledging 
target  assignment  information.  The  Audio  Amplifier  equipment 
is  employed  with  the  UHF  transmitter-receiver  only,  and  may 
be  considered  as  a  part  of  that  equipment. 

The  Identification  equipment  (IFF)  provides  a  coded 
identification  signal  in  response  to  an  interrogation  by 
friendly  forces.  Failure  to  provide  the  proper  response  can 
result  in  attack  by  friendly  forces. 


11 


2.2  Block  Diagram 


A  general  block  diagram  of  the  system  is  shown  in 
Figure  1.  The  essential  functions  to  be  performed  are  indicated 
in  the  upper  diagram,  while  the  equipment (s)  capable  of  per¬ 
forming  the  functions  are  shown  in  the  lower  diagram. 

2.3  Mission  Profile 

A  time-line  analysis  of  the  mission  being  considered  is 
shown  in  Figure  2.  The  upper  section  shows  the  function (s) 
being  performed  during  various  phases  of  the  mission.  The 
lower  section  shows  the  times  during  the  mission  when  the 
functioning  of  each  equipment  is  desired.  Because  the 
demands  upon  the  equipments  vary  with  the  type  of  bomb  deliv¬ 
ery,  the  requirements  are  shown  for  each  of  the  three  bomb 
delivery  modes,  viz.,  visual  lay-down  (VL),  visual  toss  (VT), 
and  blind  toss  (BT) . 

2.4  Delineation  of  Mission  Outcomes 

(A)  Mission  accomplished  exactly  as  noted  in  (1.0) 

(B)  Mission  not  accomplished  exactly  as  noted  in  (1.0) 

(l)  Aircraft  does  not  proceed  without  delay. 

(a)  One  or  more  subsystems  known  or  thought 
to  be  in  such  state  that  aircraft  is  not 
launched . 


12 


euof40ur\i  B^uamd-pnbg 

i  3 


g 


o 

H 


SYSTEM  BLOCK  DIAGRAM 


(• 


Time  ( Hours )  0 

.0  0,2  0.4 

1  1 

0.6 

1 

0.8  1.0 

1  1 

r  -> 

fN  ROUTE  TO  TARGET  AREA 
[COMMUNICATE,  NAVIGATE,  IDENTIFY) 

IDENT. 

TARGET 

r-A 

RETURN  TO  ASSIGNED  BASE 
(NAVIGATE,  IDENTIFY ) 

i  i1. 

n  *  k 

_Cl  J: 

Equipment 


Radar 


VL_ 

VT_ 

BT 


Terrain  avoid¬ 
ance  and  bomb¬ 
ing 


Terrain  avoid¬ 
ance  only 


Toss  Bomb  Computer 


VL 

VT 

BT 


Sight  Syetem 


VL _ 

VT _ 

BT 


r 


Doppler  Navigator 


Direction  Finder 
(DF) 


Tacan 


yr  T 

Communlcatlona  VT j 

( UHF )  bt  | 


identification 

IFF) 


VL 

VT 

BT 


Instrument  Landing 
System  (IL3)  w 

BT 


VL  ■»  Visual  Laydown  Mode 
VT  -  Visual  Toss  Mode 
BT  •>  Blind  Toss  Mode 


3 


FIGURE  2 

MISSION  PROFILE  AND  PERIODS 
DURING  WHICH  USF.  OF  EACH  EQUIPMENT  IS  DESIRED 


14 


(2)  Aircraft  does  not  receive  target  assignment, 

(a)  Failure  or  inadequacy  of  one  or  more 


(3) 


(*) 


subsystems  prevents  receipt  of  target 
assignment 

Aircraft  does  not  deliver  weapon  within  500 

feet  of  target. 

(a)  Aircraft  does  not  reach  target  area. 

(No  weapon  release.) 

(a-1)  Failure  or  inadequacy  of  one  or 

more  subsystems  prevents  reaching 
target  area. 

(b)  Aircraft  does  not  identify  target. 

(No  weapon  release.) 

(b-1)  Failure  or  inadequacy  of  one  or 

more,  subsystems  prevents  identifi¬ 
cation  of  target. 

(c)  Aircraft  does  not  place  weapon  within 
500  feet  of  target.  (Release) 

(c-1)  Failure  or  inadequacy  uf  one  or 

more  subsystems  results  in  inaccurate 
delivery. 

Aircraft  does  not  return  to  assigned  operating 

base . 


(a)  Aircraft  lost. 


15 


(a-?.)  Failure  or  inadequacy  of  one 

or  more  subsystems  results  in  air¬ 
craft  loss. 

(b)  Aircraft  returns  to  wrong  base. 

(b-1)  Failure  or  inadequacy  of  one  or 
more  subsystems  prevents  return 
to  assigned  base. 

3 . 0  Specification  of  Figures -of -Merit 

For  this  specific  mission  requirement,  the  major  figure- 
of -merit  is  the  probability  that  the  mission,  as  defined,  will 
be  accomplished. 

Accomplishment  of  the  mission,  however,  depends  upon  the 
successful  performance  of  several  individual  functions.  Follow¬ 
ing  take-off,  the  required  functions  are: 

a.  Receipt  and  acknowledgement  of  target  assignment. 

b.  Navigation  to  a  point  not  more  than  five  miles  from 
target. 

c.  Proper  identification  when  interrogated. 

d.  Penetration  of  enemy  defenses. 

e.  Identification  of  target  and  weapon  delivery  within 
500  feet  of  target. 

f.  Navigation  to  within  10  miles  of  assigned  operating 
base. 

g.  Landing. 


16 


The  probability  of  accomplishing  each  of  these  functions 
may  also  be  regarded  as  an  appropriate  figure  of  merit  of 
interest  to  particular  levels  of  management.  For  this  reason, 
each  will  be  evaluated. 

4.0  Identification  of  Accountable  Factors 

4.1  Tabulation  of  Factors 

a.  Operational  conditions 

Physical  environment  (climate) 

Day  vs.  night  conditions 
Good  (VFR)  vs.  bad  (IFR)  weather 
Modes  of  weapon  delivery 
Enemy  counteractions 
Actions  by  friendly  forces 

b .  Support  situation 

Ground  operating  equipment 

Ground  support  equipment 

Availability  and  adequacy 

Test  equipment 
Repair  facilities 

Maintenance  personnel 

Number  and  skill  levels 
Number  of  shifts 


17 


Spare  parts  and  units 

Availability- 
Repair  philosophy 

Lobule  vs.  part  replacement 
4.2  Discussion  of  Factors 

Climate :  The  evaluation  is  to  be  conducted  for  a  semi- 

tropical  environment.  The  ground  temperatures  range  from 
70°-105°F,  humidity  between  60-100$.  Atmospheric  conditions 
which  result  in  improper  radar  function  are  anticipated  1 $  of 
the  time. 

Visibility:  Daylight  conditions  exist  for  14  of  the  24 
hours  per  day,  or  for  58$  of  the  time. 

Bad  weather  (IFR)  conditions  exist,  on  the  average,  20$ 
of  the  time,  night  or  day. 

Visibility  conditions  of  such  a  nature  that  the  Instru¬ 
ment  Landing  System  is  essential  to  safe  landing  exist  5$  of 
the  time. 

Influcr.cn  of  visibility  conditions  on  mode  of  weapon 
delivery:  The  weapon  delivery  mode  depends  upon  both  the 

visibility  conditions  and  the  tactical  requirement.  Visual 
modes  can  be  used  only  under  daylight  TFR  conditions.  The 
tactical  requirements  are  such  that  the  lay-down  mode  will  be 


18 


preferred  80%  of  the  time.  (The  decision  concerning  lay- 
down  or  toss  must  be  made  prior  to  take-off,  since  a  different 
type  weapon  is  required  for  each.)  If  toss-bombing  is  pre¬ 
ferred,  the  visual  method  will  be  selected  whenever  possible, 
i.e.-,  weather  and  daylight  permitting. 

Enemy  Action:  Enemy  defensive  action,  i.e.,  the  enemy's 
ability  to  destroy  intruding  aircraft,  is  such  that 

1.  A  30%  loss  of  aircraft  is  anticipated  for  aircraft 
approaching  at  altitudes  in  excess  of  1000  feet 

at  normal  attack  speed. 

2.  A  5$  loss  of  aircraft  is  anticipated  for  aircraft 
approaching  at  altitudes  of  less  than  1000  feet 
at  normal  attack  speed. 

Friendly  Action:  Friendly  defenses  in  the  area  are  such 
that  90 %  of  the  aircraft  entering  the  defense  area  are  chal¬ 
lenged.  If  electronic  identification  equipment  in  friendly 
aircraft  does  not  respond  properly  to  a  challenge,  a  0.10 
probability  of  destruction  of  the  aircraft  by  friendly  defense 
exists.  (This  figure  reflects  the  occasions  when  secondary 
methods  of  identification, e.g. ,  visual,  prevent  attack  on 
friendly  aircraft.) 

Availability  of  Ground  Station  Equipments : 

Tacan:  It  is  expected  that  a  Tacan  ground  station  will  be 
available,  operating,  and  within  range  5 0 %  of  the  time. 


19 


UHF  Ground  Station:  It  is  expected  that  a  UHF  ground 


station  will  be  available,  operating,  and  within  range  40 % 
of  the  time. 

Ground  Support  Equipment:  Sufficient  ground  equipment 
will  be  provided  so  that  no  delays  in  repair  due  to  this 
factor  will  occur.  Further,  test  equipment  and  repair 
facilities  will  be  available  and  adequate  to  the  degree  that 
the  mean- down- times  presented  in  a  later  section  are  antici¬ 
pated. 

Maintenance  Personnel;  The  quantity  of  maintenance 
personnel  of  various  skill  levels  is  such  that  the  down¬ 
times  referred  to  above  represent  also  the  influence  of  this 
factor . 

Spare  Parts/Units:  All  repairs  to  the  avionics  system 
are  to  be  made  through  replacement  of  "flight-line  replace¬ 
able  units".  No  in-shop  maintenance  is  anticipated  at  this 
echelon.  Sufficient  spare  units  will  be  provided  to  prevent 
logistic  delays. 

5 . 0  Model  Construction 

5 . 1  Delineation  of  System  States 

Only  two  states  of  each  equipment,  i.e.,  operative  and 
failed,  are  to  be  considered.  It  will  be  observed  that  if 
all  combinations  of  two  states  of  each  of  ten  equipments  are 


20 


considered,  more  than  1000  system  states  are  defined.  This 
situation  would  obviously  complicate  the  system  evaluation. 

In  this  case,  however — and  in  many  actual  cases--simpli- 
fications  can  be  developed.  It  was  noted  in  Paragraph  2.0 
that  all  equipments  are  independent.  For  this  reason,  the 
Effectiveness  of  each  equipment  could  be  determined  individ¬ 
ually  and  the  resulting  figures  combined  to  determine  the 
system  effectiveness.  Because  of  an  interest  in  the  effec¬ 
tiveness  of  each  major  function,  however,  this  procedure  will 
be  applied  at  the  "function"  level  rather  than  at  the  equip- 
men+  level.  Therefore,  the  three  navigation  equipments  will 
Ve  treated  collectively,  so  that  the  eight  possible  combina¬ 
tions  of  the  three  equipment  states  will  be  considered.  Also, 
the  four  combinations  of  the  Radar  and  Toss-bomb  Computer 
states  will  be  considered. 

5.2  Operational  Considerations  and 
Equipment  Usage 

In  this  analysis,  two  methods  of  weapon  delivery  (Toss 
and  Lay-down),  and  two  basic  environmental  conditions  (Day¬ 
light  or  VFR,  and  Night  or  IFR)  will  be  considered.  However, 
the  Lay-down  type  delivery  is  only  attempted  during  daylight 
(VFR). 


21 


i  NOTE  No  especially  serious  attempt  has  been  made  to 

\  make  the  example  completely'  realistic .  Conditions 

1 

\  anu  requirements  have  generally  been  selected  to 

\ 

V  demonstrate  procedures  to  be  employed. 

V  In  Pigure  2  were  shown  the  several  mission  components  on 
a  timY  s08--1-6,  •Cn  addition,  for  each  of  three  combinations  of 
deiiveVy  mode  and  environmental  conditions,  the  equipments 
requires  durinS  various  portions  of  the  missions  are  indicated. 


Then 


three  situations  are: 

WL  -  Visual  conditions,  lay-down-type  delivery 
•y,Y  "  Visual  conditions,  tcss-bomb  delivery 
ET\  Bllnd  conditions,  toss-bomb  delivery. 


The  nrobab^' ll  ties  ox"'  accomplishing  the  mission  in  each 


of  the  three  sit1 


nations  will  be  evaluated.  The  overall 


Viatic 

ilf 


Effectiveness  wily-  then  be  determined  ^  combining  the  three 


figures,  weighted  ^  ‘ch'3  Probabilities  of  occurrence  of 
each  situation.  \ 

5.3  Systei^Model 

The  system  model  exPI’sss  the  Probability  of  success¬ 

fully  completing  a  missiV'  as  a  functlon  of  >  the  effec' 
tiveness  of  the  system  f oV  eaoh  of  the  three  d,'livery  modes>- 


V, 


and  (2)  the  probability  of  employing  each  delivery  mode. 

This  can  be  represented  by  the  following  simple  model: 

3 

e=  Zvi 

i=l 

where 

E  =  System  effectiveness 
E.  =  System  effectiveness  in  Mode  i 
=  Probability  of  using  Mode  i. 

The  three  values  of  P.^  will  be  determined  from  consid¬ 
eration  of  tactical  requirements  and  operational  conditions. 
The  values  of  E±  will  be  derived  by  combining  the  Effective¬ 
ness  figures  for  each  mission  function,  e.g.,  navigation, 
communication,  in  accordance  with  the  requirement  for  each 
function  in  the  particular  mission  type.  The  individual 
function  effectiveness  figures  will  be  computed  from  the 
proposed  basic  model: 

E  =  a[d]c 

Further  description  of  the  individual  models  will  be 
presented  in  Section  7.0. 

6 . 0  Data  Acquisition 

Because  this  evaluation  is  being  made  during  the  Program 
Definition  phase,  predictions  of  the  several  components  of 


11 


Effectiveness  will  be  required.  Suitable  prediction  tech¬ 
niques  must,  therefore,  be  specified. 

While  several  methods  for  predicting  reliability  and  main¬ 
tainability  are  available,  the  procedures  developed  for  the 
Aeronautical  Systems  Division,  AFSC,  by  ARINC  Research^are 
appropriate  for  this  evaluation. 

It  is  assumed  that  estimates  of  the  basic  capabilities 
of  the  various  equipments  have  been  made  by  individuals  who 
are  expert  in  regard  to  specific  equipment  types.  This  is 
a  reasonable  assumption,  since  it  generally  cannot  be  expected 
that  one  individual  will  be  sufficiently  experienced  in  all 
areas  to  make  such  estimates  independently. 


7.0  Parameter  Estimation 


7.1  Basic  Equipment  Characteristics 


The  prime  purpose  of  this  example  is  to  illustrate  a 
procedure  for  evaluation  of  Effectiveness.  While  the  pre¬ 
diction  of  the  basic  components  of  Effectiveness  for  any 


1/  H.  Balaban  &  A.  Drummond,  "Prediction  of  Field  Reliability 
for  Airborne  Electronic  Systems",  ARINC  Research  Publica¬ 
tion  No.  203-1-344,  31  December  1962. 

G.  Harrison,  H..  Leuba,  &  E.  Schneider,  "Maintainability 
Prediction  -  Theoretical  Basis  and  Practical  Approach" 
(Revised),  ARINC  Research  Publication  No.  267-02-6-420, 

31  December  19^3- 


24 


equipment  is  certainly  basic  to  the  evaluation,  a  detailed 
description  of  the  application  of  reliability  and  maintain¬ 
ability  prediction  techniques  will  not  enhance  this  exampli. 
For  further  discussion  of  these  procedures,  the  reader  is 
referred  to  the  list  of  references . 


For  the  purposes  of  this  example,  assume  that  reliability 
and  maintainability  predictions  made  in  accordance  with  the 
procedures  specified  resulted  in  the  individual  mean-times- 
between-failures  (t~)  and  the  mean-down-time  (t^)  shown  in 
Table  I.  Further,  the  State  Readiness  figure,  is 

calculated  from 

Vi  "  tf  +  td 

The  probability  that  the  equipment  is  not  ready,  i.e.,  is 
in  State  0,  is 

vo  =  1  -  V1 

The  basic  Capability  indices  will  be  discussed  in 
Section  7.^. 


2 /  The  subscript  notations  "1"  and  "0"  will  be  employed 

throughout  this  example  to  indicate  respectively,  operative 
state  and  failed  state.  Where  the  individual  states  of 
several  equipments  determine  functional  states,  e.g.. 
Navigation,  an  alphabetic  and  numeric  subscript  will  be 
employed.  For  example,  the  situation  in  which  the  Doppler 
and  the  Direction  Finder  are  each  in  State  1  and  the  Tacan 
is  in  State  0  is  identified  as  N^ • 


25 


TABLE  I 


Reliability,  Maintainability,  and 
State  Readiness  Indices 


Equipment 


Radar 

Bombing 

Terrain 

Avoidance 


Toss -bomb 

Computer  (TBC) 


Sight  System 


Doppler 


Direction 
Finder  (DF) 


Tacan 


Instrument  Land¬ 
ing  System 
(ILS) 


Communication 
Equipment 
(UHF  & 
Amplifier) 


Identificati .u 
Equipment  (IFF) 


Mean-time- 
be tween- 
failure — t . 
(hours) 


Me  an- down  - 
time--t , 
(hours ) 


V1 

vo 

0.842 

0.833 

0.158 

0 . 167 

0.833 

0.167 

0.990 

0.010 

0.571 

0.429 

0.980 

0.020 

0.926 

0.074 

0.980 

0.020 

0.972 

0.028 

0.971 

0.029 

7.2  Determination  of  Availability 


In  this  example,  two  factors  will  be  considered  in 
establishing  the  Availability  vector. 

V  =  The  probability  that  an  equipment  (or  group  of 

equipments)  is  in  a  particular  state  of  readiness, 
and 

W  =  The  probability  that  an  aircraft  will  be  launched 
with  the  equipments  in  a  particular  state  of 
readiness . 

These  two  factors  will  be  discussed  in  the  following 
sections. 


7.2.1  State  Readiness 

Except  for  the  Navigation  function  and  the  Blind-Toss 
Bomb  function,  the  state  readiness  for  each  function  is 
defined  by  the  state  readiness  of  the  equipment  performing 
that  function.  Therefore,  with  the  two  exceptions  noted,  the 
state  readiness  figures,  V^,  are  as  shown  in  Table  I.  The 
exceptions  are  discussed  below. 

(a)  Navigation  Equipment 

Considering  two  possible  states  of  each  of  three  naviga¬ 
tional  equipments  results  in  eight  (8)  different  states  of 
the  overall  navigational  system.  These  are  defined  in  Table  n. 


27 


TABLE  II 

Navigation  System  States 


Navigational 

State 

Designation 

Doppler 

State 

Tacan 

State 

Direct; on 
Finder 
State 

N1 

1 

"l 

1 

n2 

1 

1 

0 

N3 

1 

0 

1 

n4 

0 

1 

1 

K5 

1 

0 

0 

n6 

0 

1 

0 

n7 

0 

0 

1 

n8 

0 

0 

0 

The  Navigational  state  readiness  figure  may  be  deter¬ 
mined  by  multiplying  the  probabilities  that  each  of  the 
th  ee  equipments  will  be  in  the  prescribed  state.  For 
example, 

VN  =  VQ (Doppler)  •  V^Tacan)  •  V1(DF) 

=  0.429  x  0.926  x  0.980 
=  0.389. 

The  probability  that  the  combined  Doppler-Tacan- 
Direction  Finder  group  will  be  in  each  of  the  eight  defined 
states  is: 


28 


State 

Number 


(0.571) (O.926) (O.98O) 
(0.571)(0.926)(0.020) 
(0.571) (0.074) (O.98O) 
(0.429) (0.926) (0.980) 
(o.57i)(o.074)(o.020) 
(0.429) (0.926) (0.020) 
(0.429) (0.074) (0.980) 
(0.429)(0.074)(0.020) 


0.518 

0.011 

0.041 

0.389 

0.001 

0.008 

0.031 

0.001 


(b)  Blind-Toss  Bombing  Equipment 


As  in  the  case  of  the  navigational  system,  multiple 
states  exist  for  the  Blind-Toss  Bombing  functiob.  The  four 


possible  states  are  defined  in  Table  HI. 


TABLE  m 

Blind- 

Toss  System 

States 

Blind-Toss 

Radar 

State 

Toss -Bomb 

State 

Computer 

Designation 

State 

B1 

1 

1 

B2 

1 

0 

B3 

0 

1 

b4 

0 

0 

29 


The  probability  that  the  combined  Bombing  Radar-Toss 
Bomb  Computer  group  will  be  in  one  of  the  four  states  is 

State 

Number 

VB1  =  (0.842) (0.833)  =  0.701 

VB2  =  (0.842) (0.167)  =  0.141 

VB^  =  (0.158) (O.833)  =  0.132 

yb^  =  (0.158) (0.167)  =  0.026 

7.2.2  Probability  of  Launch 

We  shall  now  consider  the  fact  that  launch  will  not 
always  be  precluded  because  a  particular  equipment  is  not 
ready.  Since  in  many  cases,  some  bombing  capability  exists 
even  with  inoperative  equipments,  the  possibility  of  launch¬ 
ing  aircraft  in  degraded  states  should  be  considered. 
Estimates  of  the  probabilities  of  launch  for  various  equip¬ 
ment  states  are  assumed  to  be  as  shown  in  Table  IV. 

7.3  Determination  of  Dependability 

The  next  step  in  the  evaluation  procedure  is  to  deter¬ 
mine  the  state  transition  probabilities  for  each  equipment 
during  the  mission.  Because  no  in-flight  repair  is  possible. 


t 


30 


TABLE  IV 


Probabilities  of  Launch 


Equipment 

State 

Probability 
of  Launch (W) 

For  All  Mission 

Type 

Radar  (Terrain 

1 

1.0 

Avoidance) 

0 

0.0 

Communications 

1 

0 

o  o 

•  * 

H  O 

Identification 

1 

0 

1.0 

0.2 

Landing  System 

1 

0 

1.0 

0.95 

Navigation 

E9 

1.0 

S3 

1.0 

HI 

1.0 

0.1 

R9 

0.8 

0.0 

mm 

0.0 

0.0 

For  Lay-dQTjm 
Delivery^ 

OOO 

H  O 

Sight  System 

O  H 

k  / 

For  Visual  Toss-v 

Toss  Bomb 

1 

1.0 

Computer 

0 

0.7 

For  Blind  Toss-^/ 

B-, 

1.0 

B2 

0.5 

0.0 

11 

4 

0.0 

'£/  Condition  of  Bombing  Radar  and  Toss  Bomb  Computer  not 
significant. 

V  Condition  of  Bombing  Radar  and  Sight  Svstem  not  significant 
y  Condition  of  Sight  System  not  significant. 


31 


no  transition  from  State  0  to  State  1  is  possible  (Rq-^-O). 

For  the  same  reason,  an  equipment  which  starts  in  State  0 
is  certain  to  remain  in  that  state  during  the  flight 
(Rqq=1.0).  The  remaining  transition  probabilities  may  be 
determined  from: 

t  /t„ 

(a)  Rn  =  e'  m 

where 

t  =  mission  time  during  which  equipment  will  be 
m  in  operation,  and 

t^  =  mean-time-between-failures. 

(b)  R10  =  1  “  Rn 

These  probabilities  are  shown  in  Table  V. 

7.4  Determination  of  Capability 

The  remaining  parameter  to  be  determined  is  the  Cap¬ 
ability  for  each  of  the  functional  equipment  groupings.  The 
capability  figures  will  be  discussed  in  the  following  for 
each  of  these  groupings. 

a.  Navigation  Equipment 

The  aircraft  must  be  able  to  navigate  to  within  5  miles 
of  the  target  by  use  of  the  Navigation  equipment;  from  this 
point,  target  identification  can  be  accomplished  by  other 


32 


TABLE  V 


Equipment  Transition  Probabilities 


Equipment 

Mean-time- 
between- 
failures--t ~ 
(hours) 

Radar 

Bombing 

Terrain 

Avoidance 

32 

4o 

Toss-bomb 

Computer  (TBC) 

20 

Sight  System 

200 

Doppler 

20 

Direction 

Finder  (DF) 

100 

Tacan 

50 

Instrument  Land¬ 
ing  System 
(ILS) 

150 

Communication 
Equipment 
(UHF  & 
Amplifier) 

70 

Identification 
Equipment  ( IFF ) 

100 

Mean-down- 
time — t . 
(hours )u 


R11 

R10 

0.9876 

0.9900 

0.0124 

0.0100 

0.9851 

0 . 0149 

0.999 

0.001 

0.9418 

0.0582 

0.9881 

0.0119 

0.9763 

0.0237 

C.998 

0.002 

0.9943 

0.0057 

0.9881 

0.0119 

methods.  On  its  return  flight,  it  must  be  able  to  navigate 
to  within  10  miles  of  its  assigned  base.  While  the  navi¬ 
gation  function  can  be  supplied  by  three  different  equip¬ 
ments,  the  capability  of  each  is  different.  The  Doppler 
has  a  basic  capability  (C)  of  0.9 5 3  the  Tacan,  0.9;  and 
the  DF,  0.8.  That  is,  the  Doppler  navigator  can  provide 
the  required  accuracy  with  a  probability  of  0.95;  the 
Tacan,  with  0.9  probability;  and  the  DF  with  0.8  probability. 

However,  because  the  Tacan  and  DF  depend  upon  external 
signals  from  associated  ground  equipment,  the  probabilities 
that  these  signals  will  be  available  must  also  be  considered. 
This  can  be  most  easily  accomplished  by  modifying  the  equip¬ 
ment  Capability  figures.  While  the  Doppler  can  be  used 
at  any  time  that  it  is  operating  properly,  a  Tacan  ground 
station  will  be  available  only  50^  of  the  time,  and  a  DF 
ground  station,  only  b0%  of  the  time. 

The  actual  capabilities  for  each  equipment,  then,  are: 

CDoppler  =  0,95 

CTacan  =  0*9(0*5)  -  0.45 

CDF  '  =  0. 8(0.4)  =  0.32. 


34 


Consideration  must  now  be  given  to  the  overall  Naviga¬ 
tion  Capability  in  each  of  the  eight  (8)  states  of  the 
navigation  system.  It  is  significant  that  the  aircraft  is 
not  committed  to  any  particular  state  situation.  That  is, 
if  a  state  transition  occurs,  navigation  in  the  resultant 


state  will  be  undertaken.  The  capabilities  are  shown  in 
Table  VI. 


TABLE  VI 

Navigation  Equipment  Capabilities 

Navigation 

Doppler 

Tacan 

DF 

State 

State 

State 

State 

State 

Capability 

N1 

1 

1 

1 

0.95 

n2 

1 

1 

0 

0.95 

n3 

1 

0 

1 

0.95 

■; 

0 

1 

1 

0.6l 

n5 

1 

0 

0 

0.95 

4 

0 

1 

0 

0.45 

N7 

0 

0 

1 

0.32 

n8 

0 

0 

0 

0 

The  capability  of  each  state  is  usually  the  capability 


of  the  operating  equipment  whose  individual  capability  is 
highest.  In  the  case  of  State  4,  however,  the  probabilities 
that  the  ground  stations  for  Tacan  and  DF  will  be  available 
must  also  be  considered.  The  capability  of  State  4,  then. 


4. 


is : 


(Probability  that  Tacan  can  be  used] (Tacan  capability]+ 
(Probability  that  only  DF  can  be  used] (DP  capability] 
(0.5)(0.9)+(l  -  0.5) (0.4) (0.8) 

0.45  +  0.16 

0.6l. 


35 


b.  Communication  Equipment 


For  this  particular  mission,  the  communication  function 
is  only  required  so  that  specific  target  assignment  can  be 
made  or  changed  after  the  aircraft  has  taken  off.  It  will 
be  assumed  for  this  example  that  specific  assignments  are 
always  made  when  the  aircraft  is  in  flight. 

The  communication  function  is  supplied  by  the  UHF 
Transmitter-Receiver.  A  necessary  accessory  equipment  is 
the  audio  amplifier.  Assuming  a  property  operating  ground 
station  at  the  base,  contact  between  the  aircraft  and  the 
base  can  be  maintained,  under  average  environmental  conditions, 
for  the  first  1/3  and  for  the  last  1/3  of  the  mission. 

(During  the  remaining  1/3  of  the  mission  the  aircraft  is  not 
within  communication  range  of  the  ground  station.)  It  is 
estimated  that  in  90#  of  the  cases  specific  target  assign¬ 
ments  and  changes  will  be  made  before  the  aircraft  is  out  of 
range.  In  the  remaining  10#,  an  unsuccessful  mission  will 
result. 

It  is  estimated  that  environmental  conditions  and  diffi¬ 
culties  with  the  ground  station  equipment  will  prevent 
required  communication  5#  of  the  time  when  the  aircraft  is 
within  range  of  the  base.  These  effects  will  be  reflected 
in  the  capability  figure  for  the  airborne  system. 


36 


The  capability  of  the  Communication  System,  then,  is 
expressed  as  the  probability  that  target  designation  and/or 
change  is  received  and  acknowledged  by  the  aircraft. 

CTJ  =  (probability  of  successful  communication, 
given  the  aircraft  is  within  range)  x 

(probability  of  being  within  range  when 
message  is  transmitted) 

In  State  1  (subsystem  operative), 

CTT  =  (0.95)  (0.90)  =  0.855. 

In  State  0  (subsystem  failed). 


c .•  Identification  Equipment 

During  the  mission,  the  aircraft--if  not  able  to 
identify  itself  properly — is  in  danger  of  being  attacked 
and  destroyed  by  friendly  forces.  The  Identification  Equip¬ 
ment  (IFF)  provides  the  identification  function.  It  has 
a  State  1  capability  of  1.0.  That  is,  in  all  cases,  a  prop¬ 
erly  operating  subsystem  will  respond  properly  to  a  friendly 
challenge  and  the  aircraft  has  a  probability  of  1.0  of  sur¬ 
viving  friendly  defense. 

Destruction  of  the  aircraft  is  not  certain,  however, 
even  when  this  subsystem  is  in  State  0.  This  fact  can  be 
conveniently  accounted  for  in  the  State  0  capability  figure. 


37 


The  aircraft  will  survive  if: 

(a)  it  is  not  challenged ,  or 

(b)  it  is  challenged,  but  not  destroyed. 


=  Probability  {  no  challenge  ]  + 
Probability  {challenge]  x 
Probability  (not  destroyed] 

=  (0.1)  +  (0.9) (0.9) 

=  0.1  +  0.8l 


=  0.91. 


d.  Terrain  Avoidance  Equipment 

The  Terrain  Avoidance  function  of  the  radar  is  the  only 
avionics  equipment  that  contributes  to  the  penetration  ability 
of  the  aircraft.  This  equipment  permits  flying  the  aircraft 
at  normal  attack  speeds  at  low  altitudes,  i.e.,  below  1000 
feet.  Without  this  equipment,  such  low-level  approaches  are 
not  possible.  It  will  be  recalled  that  the  anticipated  loss 
due  to  enemy  action  was  5#  for  low  altitude  approaches  and 
30#  for  high  altitude  approaches.  This  might  also  be  stated 
as  0.95  probability  of  survival  for  low  altitude  approach, 
and  0.7,  for  high  altitude  approach. 

Atmospheric  conditions  which  result  in  improper  radar 
returns  are  anticipated  1#  of  the  time.  This  condition  is 
reflected  in  the  Terrain  Avoidance  radar  basic  capability  of 
0.99. 


38 


The  penetration  capaoilities  (the  probability  of  penetra¬ 
ting  enemy  defenses),  when  the  effectiveness  of  enemy  action 


is  considered,  are: 


State  1-  -  Terrain  Avoidance  function  operable 

Cp  =  (Probability  that  radar  permits  low  approach)  x 

* n 

(Probability  of  survival,  given  low  approach)  + 
(Probability  radar  does  not  permit  low  approach)  x 
(Probability  of  survival,  given  high  approach) 

=  (0.99) (0.05) +(0.01) (0.70) 

=  0.9405  +  0.007 

-  0.9475. 


State  0  -  Terrain  Avoidance  function  inoperable 


Probability  of  survival,  given  high  approach 
0.70. 


e.  Target  Identification  and  Weapon  Delivery  Equipment 

The  target  can  be  identified  either  visually  or  by 
means  of  the  radar  equipment.  The  method  of  identifying  the 
target  will  be  visual  if  the  delivery  method  is  "visual", 
and  by  radar,  if  the  delivery  method  is  "blind" . 

The  ability  to  deliver  a  weapon  within  500  feet  of  an 
identified  target  is  dependent  upon  the  mode  of  delivery  and 
the  equipment  states.  For  this  example,  it  is  assumed  that 
the  probabilities  of  delivery  within  the  prescribed  500  feet 
have  been  estimated  for  the  indicated  states  and  delivery 
modes.  These  probabilities  are  shown  in  Table  VII. 


39 


TABLE  VII 


Delivery  Capabilities  by  Mode  and  State 


Delivery 

Mode 

Mode 

State 

Radar 

State 

Toss -Bomb 
Computer- 
State 

Sight 

System 

State 

Capabilities 

Lay-down 

L1 

n.a. 

n.a. 

1 

0.90 

Lay -down 

L0 

n.a. 

n.a. 

0 

0.70 

Visual 

Toss 

V1 

n.a. 

1 

n.a. 

0.80 

wan 

vo 

n.a. 

0 

n.a. 

0.60 

Blind 

B, 

1 

1 

n.a. 

0.75 

Toss 

B2 

1 

0 

n.a. 

0.4o 

B3 

0 

-L 

n.a. 

0.0 

b4 

0 

0 

n.a. 

0.0 

n.a.  =  not  applicable 


f .  Instrument  Landing  Equipment 

The  instrument  landing  system  (ILS)  when  functioning 
properly  has  a  capability  of  0.99*  That  is.  a  landing  with¬ 
out  damage  to  the  aircraft  or  injury  to  the  pilot  can  be 
made  99%  of  the  time.  In  weather  during  which  this  equipment 
is  not  required,  however,  the  probability  of  successful  land¬ 


ing  is  1.0. 


V  -V 


Recalling  that  visual  landing  procedures  are  possible 
95$  of  the  time,  the  probability  of  successful  landing  if 
the  ILS  is  operable  is: 

C,p  =  (Probability  of  visual  landing)  x 

(Probability  of  successful  landing  under  visual 
conditions)  + 

(Probability  of  ILS  landing)  x 

(Probability  of  successful  landing  under  ILS 
conditions ) 

=  (0.95) (1.0) +(0.05) (O.99) 

=  0.95  +  0.0495 
=  0.9995. 

If  the  ILS  is  not  operable,  no  capability  under  ILS 
conditions  exist,  and  the  overall  landing  capability  is 

CT  =  (0.95) (1.0 )+( 0.05) (0) 

-L0 

u  =  0.95. 

8.0  Model  Exercise 


8.1  Effectiveness  of  Individual  Functions 

With  all  of  the  basic  parameters  now  available,  the 
individual  Effectiveness  figures  for  each  mission  function 
can  now  be  determined.  The  probability  of  performing  each 
required  mission  function  will  first  be  determined.  These 
probabilities,  since  they  are  independent,  will  then  be  com¬ 
bined  to  establish  the  mission  effectiveness. 


41 


a. 


« 


Communication 


EC  -  Ac[Dc]cc 


= 


V,  vn  i 


c  rroj 


"  wx  o  i 
L°  woJ 


D, 


a- 


Fl.O  0  i 

972  0 . 028] 

J 

1  L  0  0  J 

’li  V 

0.99^3 

0.0057 

'oi  DooJ 

L° 

1,0  j 

LC0 


"0.855" 


o 


Ec  =  0.8265 


42 


b .  Navigation 


V  “  an  [dn]  cn 
h  -  [vlW4W7V8] 


1.0 

1.0 


=  f.518  .011  .o4i  .389  .001  .008  .031  .001]  i.o 
L  J  0.1 


N= D 


D11  D12  *  *  *  Dl8 

Do  n  •  •  •  DoO 


d8i  d82 


In  this  matrix,  the  following  elements,  for  example,  are 


computed  from: 


D1I  =  V  %  DBFu 

D1S  -  V  DTn  % 
D35  ■  DDu  DDF1q 


D~c  =  0  (Transition  from  State  3  to  State  6  is  not 
•*  possible.) 


43 


f 


where  subscripts  D,  T,  and  BF  represent  respectively, 
Doppler,  Tacan,  and  Direction  Finder. 

".9085  .0109  .0220  .0561  .0003  .0007  .0014  .0000 

0  ,9195  0  0  .0223  .0568  0  .0014 

0  0  ,9306  0  .0112  0  .0575  .0007 

000  .9647  0  .0116  .0234  .0003 

0000  .9418  0  0  .0582 

00000  .9763  0  .6237 

000000  .9881  .0019 

0  0  0  0  0  0  0  1.0 

‘C1 
C2 
c3 

c4 

cn=  4 

C6 
C7 
_C8 

%  =  0.5537. 


r  0.95" 

0.95 

0.95 

0.61 
=  0.95 
0.45 
0.32 
0 


44 


Identification 


D11  D10 
-D01  D00- 


' . 9881  . 0119 

_0  1.0 


Ej.  =  0.9751 


d.  Penetration 


Ep  =  0.7875 


45 


e .  Landin, 


Et  =  Q.9975 


El  =  0.8964 


46 


Visual  Toss  Mode 


Kh 


C„  =  | 


\  lDv] 

CV 

KV0i 

rw  o  ■ 

|  i  =  ‘-833 

Lo  WqJ 

“1.0 

. 167 ; ; 

JL  0 

~D11 

Dio' 

.0149"; 

-D01 

D00J  LO  1 

1 

.0  j 

[V . 

r'.8oi 

1 

— 1 
o 
o 

. j 

— i 

o 

VO 

• 

Ey  =  0.73^2 


47 


y  Because  the  Capability  in  States  3  and  4  is  zero, 
these  states  need  not  be  treated  explicitly  in  the 
computation. 


48 


<y 

<> 


8.2  Effectiveness  for  Individual  Mxssion  Types 


The  individual  functional  effectiveness  figures  may  now 
be  combined  to  evaluate  the  system  effectiveness  for  each 
mission  type. 

Lay-down  Delivery  Mission  (E-^) 

E1  =  (Ec  Ei  en  et  ep)  el 

=  [( .8265) ( .9751) ( .5537) (.9975) (•7875)]  .8964 

=  (.3500) (.8964) 

=  0.3142 

Visual  Toss  Delivery  Mission  (E^) 

E2  =  (EC  %  %  ET  EP)  ?V 
=  (.3500) (.7342) 

=  0.2574 


Blind  Toss  Delivery  Mission  (E^) 

E3  =  (EC  %  ^  ET  Ep)  *3 
=  (.3500) (.5439) 

=  0.1907 


The 

obtained 


8.3 

single 
from 
E  =  E 


Overall  System  Effectiveness 
,  overall  system  effectiveness  figure  is  now 


1P1 


+  ^2^2.  +  E3P3 


49 


where  P.2>  and  P^  are  the  probabilities  that  each 
mission  type  will  be  flown. 

p  (probability  of  Lay-down  Delivery)  =  (Probability  of  daytime 
1  mission)  x 

(Probability  of  VFR 
conditions)  x 

(Probability  that  Lay- 
down  Delivery  is  pre¬ 
ferred) 

-  (.58)(.8)(.8) 

=  0.3712 

P^ (probability  of  Visual  Toss  Delivery)  =  (Probability  of  day- 
^  time  mission)  x 

(Probability  of  VFR 
conditions)  x 

(Probability  that 
Toss  Bombing  is 
preferred) 

-  (  58) ( .8) ( .2) 

=  0.0928 

P_ (probability  of  Blind  Toss  Delivery)  =  (Probability  of  night 
8  mission)  + 

(Probability  of  IFR 
conditions)  - 

(Probability  of  night 
mission  and  IFR 
conditions) 

=  .42  +  .2  -  ( . 42 )  (  . 2 ) 

=  0.536 

E  =  ( .3142) ( .3712)+( .2574) ( .0928)+( .1907) ( .536) 

=0.2427. 


50 


8.4  Application  of  Model  Results 


It  was  stated  in  the  introduction  that  this  evaluation 
was  being  performed  during  the  Program  Definition  phase,  and 
that  Force  Structure,  i.e.,  the  number  of  systems  required 
to  accomplish  a  specific  mission,  was  of  prime  concern. 

It  can  be  shown  that  if  one  system  has  a  probability,  E, 
of  accomplishing  a  mission,  the  the  probability  that  at  least 
one  of  N  systems  will  accomplish  the  mission  (S)'is: 

S  =  1  -  (1-E)N 

In  order  to  determine  the  number  of  systems  required  to 
attain  a  fixed  value  of  S  for  a  particular  value  of  E  the 
equation  may  be  written: 


Figure  3  shows  this  relationship  for  S  values  of  O.95 
and  O.90.  That  is,  any  point  on  the  95#  curve  shows  the 
number  of  systems  of  effectiveness  E  that  would  be  required 
to  provide  0.95  assurance  of  successful  mission  completion. 

Considering  the  upper  curve,  note  that  for  the  System 
Effectiveness  of  0.24  computed  in  the  previous  section, 
eleven  (11)  systems  would  be  required  to  provide  a  0.95 


51 


1.0 


(a)  SS9U9Af40SJJa 


52 


NUMBER  OF  SYSTEMS  (N)  REQUIRED  TO  PROVIDE  ASSURANCE  (S) 

OF  MISSION  ACCOMPLISHMENT  AS  A  FUNCTION  OF  SYSTEM  EFFECTIVENESS  (E) 


assurance  of  a  successful  mission.  If  the  Effectiveness 
could  be  raised  to  0.4,  six  (6)  systems  could  provide  the 
same  assurance.  A  question  that  might  be  asked,  then,  is 
"What  is  the  optimum  method  for  attaining  the  required 
assurance  of  mission  success?"  Should  the  expected  Effec¬ 
tiveness  be  accepted  and  the  required  quantity  of  aircraft 
be  obtained;  or  should  efforts  be  made  to  increase  the 
Effectiveness  so  that  fewer  aircraft  would  be  required? 

No  effort  will  be  made  here  to  treat  optimization  pro¬ 
cedures  in  general.  The  reader  is  referred  to  the  report 
of  Task  Group  IV  for  this  purpose.  However,  an  elementary 
procedure  that  might  be  employed  in  the  initial  trade-off 
analyses  is  described  in  the  following. 

While  the  many  inputs  to  the  model  represent  the 
effects  of  a  wide  range  of  influencing  factors,  assume  that 
the  analysis  being  performed  during  this  particular  phase 
of  Program  Definition  is  concerned  only  with  those  factors 
over  which  the  hardware  designer  has  some  degree  of  control. 
These  are  essentially  the  capability,  the  reliability,  and 
the  maintainability  of  each  equipment.  If  each  of  these 
factors  is  varied  over  some  pre-determined  range  and  the 
resultant  Effectiveness  figures  computed,  an  indication  of 


53 


the  areas  of  high  potential  pay-off  will  be  available. 

This  procedure  was  followed  in  this  example  for  the  reli¬ 
ability  and  maintainability  characteristics.  The  calcula¬ 
tions  described  in  the  preceding  sections  were  repeated  for 
six  values  of  mean  time  between  failures  and  five  values  of 
mean  down  time  for  each  equipment.  Utilization  of  even  modest 
computing  equipment  makes  this  procedure  completely  feasible. 
Figures  4  and  5  show  the  results  of  these  analyses. 

An  initial  examination  of  these  figures  shows  that  the 
influence  on  Effectiveness  of  a  given  percentage  change  in 
either  tf  or  td  will  be  greatest  for  the  Doppler,  followed 
by  the  Terrain  Avoidance  Radar,  the  Bombing  Radar,  the  Toss 
Bomb  Computer,  etc.  V 

These  results  would  initiate  a  re-examination  of  the 
reliability  and  maintainability  predictions  for  the  equip¬ 
ments  in  the  order  listed.  Some  criteria  against  which 


u  In  this  relatively  simple  example,  these  results  might 
seem  to  point  out  the  obvious,  e.g.,  that  the  Doppler 
could  have  been  recognized  from  Table  X  as  the  major 
problem  area.  Note,  however,  that  the  mean-time-between- 
failures  (tf)  for  the  Computer  is  equal  to  that  for  the 
Doppler.  Had  corrective  actions  been  based  only  upon  the 
tf  figures  and  equal  efforts  accorded  these  two  equip¬ 
ments,  the  improvement  in  Effectiveness  per  unit  of  effort 
would  have  been  considerably  less  than  had  the  major 
effort  been  applied  to  the  Doppler. 


54 


OtT'O 


(a)  BB9U3Af^03JJa 


56 


FIGURE  5 

INFLUENCE  ON  SYSTEM  EFFECTIVENESS  OF  VARIATIONS 
MEAN-DOWN-TIMES  FOR  EACH  EQUIPMENT 


possible  changes  in  the  equipments  might  be  weighed  are 
now  available.  For  example,  a  5 0 %  reduction  in  mean-down¬ 
time  for  the  Doppler-  would  be  equivalent  to  reducing  the 
number  of  aircraft  required  for  a  successful  mission  from 
11  to  9j  or  a  force  reduction  of  about  l8 %.  An  approxima¬ 
tion  of  the  projected  savings  to  be  realized  by  such  a 
reduction  can  then  be  weighed  against  the  costs  to  be 
incurred  in  decreasing  the  down-time  by  5 0 


57 


« 


EXAMPLE  B 

INTERCONTINENTAL  BALLISTIC  MISSILE  SQUADRON 


58 


CONTENTS 


1  Z2S® 

I.  INTRODUCTION  AND  SUMMARY .  67 

II.  EFFECTIVENESS  EVALUATION  BY  TASK  ANALYSIS 

DESIGNATOR  NUMBERS  .  73 

1.0  Mission  Definition .  73 

1.1  Functional  Definition  of  Mission . 73 

1.2  System  Requirements .  73 

2.0  System  Description .  74 

2.1  General  Configuration  .  74 

2.2  Block  Diagram . 75 

2.3  Engineering  Drawings . 75 

2.4  System  Function  Analysis . .  .  77 

2.5  Physical  Factors  Sunsnary  Documents . 77 

2.6  Equipment  Running  Time  Line  Analysis .  77 

2.7  Integrated  Task  Index . 77 

2.6  Unit  Manning  Document  . . 82 

2.9  Reliability  Indices  Reports . 82 

2.10  The  Data  Handbook  . . 82 

2.11  Provisioning  Requirements  Document . 82 

2.12  Cost  Indices  Document  .  82 

2.13  RFB  Diagram . 82 

2.14  Weapon  System  Summary  .  85 

2.14.1  Delineate  the  STOC  and  Their  Time 

Lines  by  Subsystem . 85 

2.14.2  Delineate  Targeting  Policy  .  85 

2.14.3  Delineate  Physical  Factors  .  85 

2.14.4  Delineate  Personnel  Conposition  .  86 

2.14.5  Delineate  Maintenance  Policy 

TVpes  and  Time  Lines . 86 

3.0  Specification  of  Figures  of  Merit  (F.O.M. ) . 87 


59 


CONTENTS  (Continued) 


Page 


4.0  Identification  of  Accountable  Factors  .  95 

4.1  Define  Level  of  Accountability .  95 

4.2  Hardware .  95 

4.3  Procedures  .„...• .  96 

4.4  Personnel .  96 

4.5  Logistics .  96 

4.6  Specify  Data  Constreiints .  97 

5.0  Mathematical  Model  Construction  .  98 

5.1  Assumptions .  98 

5.2  Definitions  and  Symbols .  98 

5*3  Delineation4of  Possible  Outcomes  .  104 

5.4  Delineation  of  System  States .  104 

5.5  Availability .  1 06 

5-5*1  System  Models .  106 

5*5*1*1  TSie  Availability  Vector  ....  106 

5.5*1 *2  Composite  Steady  State  Model  .  .  106 

5. 5*1*3  Transient  (Augmented) 

Availability .  110 

5.5*2  Subsystem  Models .  114 

5. 5*2.1  Re-Entry  Vehicle  (Subsystem  A)  .  114 

5. 5*2.2  Guidance  (Subsystem  B)  ....  115 

5. 5* 2. 3  Autopilot  (Subsystem  C)  ....  1 1 6 

5. 5*2.4  Propulsion  (Subsystem  D).  ...  1 1 6 

5. 5*2. 5  Structure  (Subsystem  E)  ....  1 1 6 

5. 5.2.6  Overhead  Door  (Subsystem  F)  .  .  1 1 6 

5. 5*2.7  Air  Conditioning  (Subsystem  G)  .  117 

5* 5*2.8  Power  Generation  and  Distribution 

(Subsystem  H) .  117 

5*5*3  Apparent  Availability .  113 

5.6  Dependability .  119 

5*6.1  System  Models .  119 


5. 6. 1.1  The  System  Dependability  Maurix  .  119 

5. 6. 1.2  Communication  Reliability  ...  119 
5* 6. 1.3  Countdown  Reliability  ....  120 
5* 6. 1.4  Flight  Reliability  .  123 


60 


CONTENTS  (Continued) 


Page 

5-6.2  Subsystem  Reliability  Models . 123 

5-6. 2.1  Countdown  Models  .  123 

5. 6. 2. 2  Flight  Models  .  124 

5-7  Design  Capability  .  .  .  . . 124 

5-7*1  System  Models . 124 

5. 7*1»1  Capability  Vector  .  124 

5.7.1. 2  Fer  Unit  Kill  Probability  ...  126 

5.7.2  Subsystem  Models . 129 

5. 7* 2.1  Guidance  Dispersion  P  .  129 

5. 7 .2. 2  Point  Target  Blast  ® 

Coinage  Function . 131 

6.0  Data  Acquisition . 133 

6.1  Specification  of  Data  Elements . 133 

6.2  Specification  of  Test  Methodology . 134 

6.3  Specification  of  Data  Reporting  System  .  .  .  .  135 

7.0  Specification  of  Parameter  Estimation  Methods  .  .  .  140 

7.1  Point  of  View . 140 

7.2  Techniques  of  Parameter  Estimation  from  Field 

Data  on  Periodically  Checked  Systems  .  141 

7.2.1  Introduction . 141 

7.2.2  Time  Line --Sequence  of  the_Basic 

Periodic  Maintenance  Policy  .  142 

7.2.3  The  Concepl.  of  a  Test . 142 

7.2.4  The  Probability  of  Passing  a  Test  .  .  .  145 

7.2.5  Maximum  Likelihood  Estimate  of  the 

Probability  of  Passing  a  Test  ....  147 

7.2.6  Use  of  Variable  Standby  Duration  as 

a  Means  of  Variable  Separation  ....  148 

7.2.7  Use  of  Back  to  Back  Checkouts  in 

Effecting  Separation  of  the  Variables  .  150 

7.2.8  The  Role  of  Failure  Analysis . 155 

7.2.9  Estimation  of  P^C™] . 157 

7.2.10  Estimation  of  Pj.[t/b] .  157 


61 


CONTENTS  ( Continued ) 


7*3  Summary  of  Estimates  in  Terms  of  Test  Methodology  •  158 

8.0  Model  Exercise . 160 

8.1  Numerical  Evaluation . 160 

8.1.1  List  of  Parameter  Values . 160 

8.1.2  Availability . 160 

8. 1.2.1  Steady  State  Values  .  160 

8.1.2. 2  Augmented  Availability  .  .  .  .  16  2 

8.1.3  Countdown  Reliability  .  164 

8.1.4  Flight  Reliability  .  165 

8.1.5  Dependability  Matrix . 1 66 

8.1.6  Capability . 171 

8.1.7  Expected  Kill  (E) . 171 

III.  APPLICATION  OF  MODEL  RESULTS . 173 

1.0  Comparative  Systems  Analysis  .  173 

1.1  Comparison  of  Best  Estimate  with  S.O.R . 173 

1.2  Flight  Reliability  Ranked  by  Subsystem  .  .  .  .  173 

1.3  Countdown  Reliability  Ranked  by  Subsystems  .  .  .  173 

1.4  Availability  Ranked  by  Subsystem . 173 

2.0  Parameter  Variation  Study  on  Availability . 17  5 

2.1  Subsystem  Availability  .  175 

2.1.1  Subsystem  A . 175 

2.1.2  Subsystem  B . 177 

2.1.3  Subsystem  CDEF . 177 

2.1.4  Subsystem  G .  .  .  177 

2.1.5  Subsystem  R . 184 

2.2  Per  Unit  Kill . 184 

3.0  Recalculation  of  E  Based  on  Potential  System 

Improvements . 187 


62 


r 


CONTENTS  (Continued) 

APPENDIX  I  Weapon  System  Capability]  Availability 

Models  and  Parameter  Estimation  .  191 

APPENDIX  II  The  Probability  of  Launch  When  Two  Attempts 

are  Permissible . ' .  213 

APPENDIX  III  Derivation  of  the  Expressions  for  the  Expected 

Change  of  Status  Delay  in  a  Several  Unit  System  .  221 

APPENDIX  IV  The  Detailed  Model  for  a  Remove  and  Replace 

Maintenance  Cycle  .  228 


63 


ILLUSTRATIONS 


Figure  Page 

1  Functional  Flow  Diagram  of  Atlas  "F"  Weapon 

System  Operational  Ground  Equipment  .  76 

2a  Monitor  Site  EWO  Readiness  Figure  1.0-1  ....  78 

2b  Monitor  Status  and  Ready  Patches  During  Standby 

Figure  1.1-1 . 79 

3  Time  Line  for  Re-Entry  Vehicle  in  STOC  (Countdown)  80 

4  SMA  Missile  Periodic  Inspection  -  Task  Durations 

and  Manning  Requirements  .  81 

5  Failure  Rate  Estimates  Based  on  Generic  Data 

and  Limited  Subsystem  Testa .  83 

6  Typical  RFB  Diagram  (Subsystem  A,  Re-entry 

Vehicle  During  Countdown) .  84 

7  Time  Line  Analysis  of  Calendar  Replacement 

Policy  for  Subsystem  A .  88 

8  Time  Line  Analysis  of  Sequential  Checkout  Policy 

for  Subsystem  B .  89 

9  Typical  Time  Line  Analyses  of  Joint  Maintenance 

Policy  of  Subsystems  C,  D,  E,  and  F .  90 

10  Equivalent  Time  Line  for  the  ith  Subsystem  of  the 
Joint  Maintenance  Policy  for  Subsystems  C,  D,  E,  and 

and  F .  91 

1 1  Typical  Time  Line  of  a  Continuously  Monitored 

System  Showing  Dwell  Time  in  Various  States 
(Subsystems  G  and  H) .  92 

12  Possible  State  Transitions  for  Continuously 

Monitored  Systems  Showing  Rates  of  Transition 
(Subsystems  G  and  H) .  93 

13  Time  Line  Analysis  of  TCTO .  94 

14  Coordinate  System  of  Missile  Impact  Dispersion  .  130 

15  Action  of  a  Checkout  (Test)  at  the  "Point  of  Test 

Decision,"  t  =  +  Tc  on  a  System  that  is 

Discretely  Monitored.  .1  .  144 

16  A  Sequence  of  Two  Back-to-Bacl;  Checkouts  Out  of 

Standby  Without  Regard  for  the  First  Test  Results.  151 

17  A  Sequence  of  Three  Checkouts  Back-to-Back  Without 

Regard  for  the  Intermediate  Test  Results  ...  152 


64 


ILLUSTRATION S  (Continued) 


Page 

18  Augmented  Availability . 163 

19a  Launch  Reliability  When  Only  One  Attempt  is 

Permitted . . . 168 

19b  Launch  Probability  When  Two  Attempts  (With  Repair 

of  Aborts)  is  Permitted . 169 

20  Availability  of  Re-entry  Vehicle  as  a  Function  of 

the  Replacement  Interval . 176 

2  1  Availability  of  Guidance  System  as  a  Function  of 

the  Duration  of  Alert  Status . 178 

22  Availability  of  the  Autopilot  as  a  Function  of  the 

Alert  Status . 179 

23  Availability  of  the  Propulsion  Subsystems  as  a 

Function  of  the  Duration  of  Alert  Status  ...  180 

24  Availability  of  the  Structure  as  a  Function  of  the 

Duration  of  Alert  Status  . 

25  Availability  of  the  Overhead  Door  as  a  Function  of 

the  Duration  of  Alert  Status .  182 

26  Composite  Availability  of  Subsystem  C,  D,  E,  F  .  .  183 

27  Variation  of  Unit  Kill  Probability .  185 

28  Variation  of  Expected  Kill  as  a  Function  of  the 

Humber  of  Delivered  Warheads  .  186 


65 


TABLES 


I  Expected  Kill  as  a  Function  of  Targeting . 127 

II  Data  Available  from  Current  Air  force  Data  Reporting 


Systems . 137 

III  Parameters  That  May  Be  Estimated . 159 

IV  parameter  Values  .  1 6 1 


V  Availability  of  the  System  by  Subsystems,  et  al.  .  .  162 

VI  Summary  of  Countdown  Reliability  Prediction  by 


Subsystem . 165 

VII  Summary  of  Flight  Reliability  Prediction  by 

Subsystem . 166 

VIII  SOR  Requirements  and  Model  Outputs  •  .  .  .  .  .  .  173 

IX  Subsystem  Apportionment  Against  SOR . 174 

X  Flight  Reliability  by  Subsystem . 174 

XI  Countdown  Reliability  by  Subsystem . 175 

XII  Optimum  Standby  Duration  for  Subsystems  C,  D,  E,  F  •  177 

XIII  Effects  of  Alterations  on  Subsystem  H .  184 

XIV  Effect  of  Revised  Checkout  Frequencies  on  Subsystem 

Availability .  187 

XV  Expected  Kill  for  Various  System  Changes  ....  18‘ 


66 


1/ 

I.  INTRODUCTION  AND  SUMMARY 

It  is  the  specific  object  of  this  document  to  provide  an  example  of  the 
analysis  of  an  ICBM  fleet  which  will  illustrate  the  formal  mathematical 
structure  adopted  by  Task  Group  II  of  the  WSZXAC .  Symbolically,  this 
structure  is  given  by 

E  =  A*  [D]  C  (1) 

where 

2  is  system  effectiveness 

A  is  the  readiness  vector  and  A'  is  its  transpose. 

[Dj  is  the  dependability  matrix. 

C  is  the  design  capability  (performance)  vector. 

The  point  of  view  which  is  adopted  here  is  that  the  evaluation  and/or  pre¬ 
diction  of  system  effectiveness  is  the  result  of  the  interaction  of 
.  Weapon  system  criteria 
.  Mission  description 
.  Weapon  system  description 


3ecause  the  ICBM  fleets  have  reached  the  acquisition  and  operational  phases 
of  system  life,  this  memorandum  does  not  reflect  the  application  of  models 
in  the  conceptual  and  program  definition  phases  of  system  development.  This 
is  perhaps  unfortunate  since  hindsight  frequently  has  the  quality  of  20-20 
vision.  Nevertheless,  it  is  felt  that  this  document  will  prove  most  useful 
if  it  is  concentrated  on  methods  and  techniques  for  current  ard  fuvure  weapon 
system  evaluation  and  improvements.  Therefore,  we  shall  limit  the  dis¬ 
cussion  on  the  role  of  models  in  the  various  phases  of  system  life  to  the 
following  brief  remarks. 

17  The  material  presented  in  this  example  is  an  abstraction  from 
~  *A  Compendium  of  Atlas -Sponsored  Developments  in  Reliability 
and  Availability.  "  Vol.  I,  AD  420882;  Vol.  II,  AD  420883:  and 
Vol.  Ill,  AD  420884. 


67 


A  system  evolves  through  four'  relatively  distinct  phases,  namely: 

.  conceptual  phase 
.  program  definition  phase 
.  acquisition  phase 
operational  phase 

In  the  conceptual  phase,  feasibility  studies  are  conducted  to  test  the  ability 
of  the  current  state  of  the  art  to  support  the  proposed  system  development. 

Out  of  this  phase  a  set  of  specific  operational  requirements  emerges. 

The  program  definition  phase  continues  the  feasibility  studies,  pinpoints 
potential  problem  areas,  and  results  in  a  firm  system  description  to  the  :  :a;:or 
subsystem  level.  This  phase  terminates  with  a  set  of  firm  system  specifica¬ 
tions  which  initiates  the  acquisition  phase. 

In  the-  acquisition  phase  system  hardware  is  designed,  developed,  and  tested. 
System  production  initiates  the  operational  phase. 

The  precise  manner  in  which  a  model  is  implemented  in  any  of  these  phases 
depends  upon  the  point  in  time  at  which  the  evaluation  is  made.  Consider, 
for  example,  the  problem  of  designing  a  launch  vehicle  for  an  information 
retrieval  spacecraft  in  I9S5.  Specifically’-,  let  the  problem  be  to  determine 
the  feasibility  of  achieving  a  certain  reliability  of  countdown- c.nd  a  certain 
reaction  time  consistent  irith  a  narrow  launch  window. 

A  countdown  may  be  regarded  as  an  event  during  which  the  vehicle  and  its 
launch  complex  act  as  a  single  unit.  There  are  two  properties  of  a  countdown 
of  particular  interest  here . 

.  the  probability  of  completing  a  countdown. 

.  the  duration  of  a  countdown  in  excess  of  scheduled  time. 


68 


We  may  e;rpress  these  two  properties  as 

P  ,[tj  =  P  ,  [«]  P  Jt/cdl 
cd  J  cd  J  cd'  '  1 

where 

P  =  probability  of  completing  a  countdown  without  regard 

for  its  duration  (no  abort). 

P^Ct/cd]  =  probability  that  a  countdowns  will  exceed  the  scheduled 
countdown  duration  by  t  or  less;  given  that  the 
countdown  is  completed. 

During  the  feasibility  studies  of  the  conceptual  phase,  gross  generic  data 
would  be  utilized  from  all  available  sources,  for  example,  AMR  data  on 
Atlas  D  development  launches  might  be  used  without  much  regard  for  the  finer 
differences  in  hardware  or  procedures  between  the  Atlas  D  and  the  proposed 
system. 

Once  the  feasibility  has  been  established  and  the  program  definition  phase 
is  well  along,  a  second  look  at  the  system  is  taken.  The  system  is  now 
fairly  well  defined  to  the  subsystem  level,  but  there  is  still  no  actual 
hardware  from  which  to  obtain  data,  so  the  Atlas  D  data  would  again  be  used; 
except  that  now  that  data  would  be  examined  at  the  subsystem  level  and  all 
non-relevant  data  rejected. 

During  the  acquisition  phase,  the  scope  of  modeling  would  be  e:rtended  to  the 
piece  part  level  using  generic  failure  rate  data.  The  system  data  on  the 
Atlas  D  launches  would  no  longer  be  useful  since  the  structure  of  the  model 
is  now  far  more  detailed  than  in  the  preceding  phase. 

Toward  the  end  of  the  acquisition  phase  and  in  the  early  part  of  the 
operational  phase,  a  considerable  body  of  subsystem  test  data 
tends  to  accumulate.  During  this  time  period  the  model  structure  will  tend 
to  simplify  again  in  a  direction  which  can  accept  subsystem  data  rather  than 
piece  part  data.  Finally,  after  a  sufficiently  large  number  of  operational 


69 


units  are  in  existence,  the  model  structure  tends  to  simplify  to  the  gross 
system  level,  although  the  detailed  subsystem  and  piece  part  models  will 
still  play  a  part  in  assessing  proposed  system  alterations  at  those  levels 
of  detail.  Thus,  broadly  speahing,  there  are  three  levels  of  model  structure 
.  gross  system  model 
.  subsystem  model 
.  piece  part  model. 

In  the  present  document  we  shall  illustrate  these  three  levels  in  some  de¬ 
tail  for  an  ICBII,  with  the  understanding  that  their  degree  of  applicability 
depends  upon  which  phase  of  system  life  is  under  consideration. 

The  system  vhi ch  has  been  chosen  for  illustration  in  this  example  is  a 
squadron  of  ICBi-i's  consisting  of  nine  launch  sites  with  one  missile  per  site. 
The  squadron  is  treated  as  an  entity  without  reference  to  its  interface  with 
other  strategic  weapons  or  possible  enemy  counter  measures.  The  lowest  level 
of  consideration  is  a  subsystem,  as  opposed  to  a  lesser  aggregate  of  equip¬ 
ment,  except  in  the  case  of  the  re-entry  vehicle  for  which  a  piece  part 
reliability  model  is  developed.  Redundancy  is  illustrated  in  this  latter 
model . 

The  maintenance  policy  is  a  combination  of  scheduled  maintenance,  continuous 
monitoring,  and  a  fortuitous  implementation  of  TCTO's  performed  at  the  sub¬ 
system  level.  The  tests  are  not  assumed  to  be  either  accurate  or  complete. 
Repair,  if  it  is  required,  is  accomplished  by  remove  and  replace  at  the  sub¬ 
system  level.  It  is  assumed  that  one  maintenance  crew  tends  all  nine  missile 
sites  so  that  queuing  can  occur,  but  transportation  lag  time  is  not  accounted 
for.  Spares  provisioning  is  assumed  to  be  adequate  and  no  administrative 
down  time  occurs. 

Several  figures  of  merit  arc  illustrated  commencing  with  the  highest  level 
figure  defined  as  ‘'the  c:  pec  ted  number  of  targets  destroyed  per  squadron  when 
an  execution  directive  is  received  at  a  random  point  in  time."  Among  lesser 


70 


figures  of  merit  considered  are : 

.  relative  subsystem  rani:  by  reliability  indices  and  node  of  operatic:' 


.  relative  subsystem  ranging 


r>r*r>  ••  i  ''•'■i 

U-  VI  U.  -UV.  .  _L  ^  « 


Both  tirue  and  apparent  availability  arc  considered  at 


.nao. i  nonas 


and  as  a  function  of  warning  time.  Countdown  reiia  ili :  ■  is  cons 
toms  of  reaction  time  and  success  ratio. 


Repair  ox  noorus  curing  a  tacoicai  situation  is  crease:,  r.eeour/cp.r.",  _or  a. 

1  v.-v!  ■[•.nil  •r-'r,'vjr;  m'o’.rirT'  n „.r r~  •:  i  4  -  4  ^  •-  •  “  r  ’  ■  /*v ’’ 


ir.'.iL  oea  spares  nrovxcionin;;.  ayevser.  ic  •  .  rf-  ■ 

dance  accuracy,  warhead  lethality,  and  a  given  targetin'.  policy 


An  o.O.R.  for  the  squadron  is  postulated.  Require  icnts  arc  pla.eed  or.  rcadi- 
- ness,  launch  reliability  and  reaction  time,  flight  reliability,  and  nsvit 
hill  probability,  faialyticau  models  reflecting  the  figures  of  merit  defined 
above  arc  developed  for  the  squadron  by  site  a.r.d  sues.utn  It  .is.r.ssemod 
that  during  the  system  acquisition  and  early  opcraticr.nl  phase s,  a  fccy  of 
data  has  been  obtained  as  a  result  of  system  and  subsystem  tests.  Hussions 
are  developed  for  processing  this  data  into  numerical  estimates  of  the  model 
parameters,  the  model  is  e::crc:i.ccd  using  these  estimates  tc  produce  esti¬ 
mates  of  availability,  dependability,  and  capability  and  the  product  of  those 
factors . 


The  model  outputs  are  compared  to  the  A. CAR.  This  comparison  indicates  that 
the  minimum  acceptable  values  for  system  reliability  in  countdown  and  flight 
are  net,  although  the  reliability  of  the  re-entry  vehicle  is  clearly  suscep¬ 
tible  of  improvement.  The  true  availability  of  the  system  is  roe fully 
lower  than  the  acceptcfole  minimum,  although  the  up-parent  availability  is 
relatively  high.  The  per  unit  hill  probability  is  also  in  drastic  need 
of  improvement. 


Parameter  variation  studies  are  initiated  on  the  availability  and  capability 
factors  to  assess  the  potential  for  system  improvement.  It  is  shorn  that 


71 


.  improved  monitoring  ond  increased  reliability  of  the  power  genera¬ 
tion  and  distribution  subsystem  in  conjunction 

with 

.  a  drastic  shortening  of  the  tines  between  scheduled  checkouts  on 
several  subsystems 

and 


will 


.  an  increase  in  guidance  accuracy  by  a  factor  of  two 
required  to  achieve  r.lniv.rri  acceptable  system  performance. 


The  questions  of  costs,  schedules,  confidence  factors,  relative  strategic 
value  of  the  system,  and  technical  feasibility  of  accomplishing  the  re¬ 
quired  system  alterations  are  not  considered. 


A  more  serious  shortcoming  of  this  document  is  the*  lack  of  an  illustrative 
decision  algorithm  (for  aiding  management)  that  accounts  for  cost,  schedules, 
expected  product  life,  and  the  host  of  other  factors  which  (conceivably)  in¬ 
fluence  decisions  in  a  real  situation.  The  current  example  limits  itself  to 
a  trade  off  study  based  strictly  on  the  technical  factors  which  enter  into 
decisions.  Thus,  there  is  a  certain  flavor  of  real  life  missing  from  this 
example . 


Although  the  example  developed  here  illustrates  the  formal  mathematical 
framework  referred  to  above,  it  was  found  that  this  framework  can  be  too 
restrictive  under  certain  circumstances.  The  difficulty  is  implicit  in  the 


structure  of  tko  pro; 
:ility,  r.r.u  deal  'r.  c 


a  1  y;  i  a 


V-.r:.'.  ..  u:.\u:oc  k/.at  reauinoos,  aeponua 
e.nreoocd  is  mutually  e::clxicivc,  ir.de 


pendent  factors.  This  assumption  can  break  down  for  availability  and 
dependability  in  the  case  of  ICBM's  ’./hen  several  launch  attempts  are  per¬ 
mitted  (with  repair  from  the  preceding  aborts). 


It  is  shown  in  Appendix  II  that  this  situation  cannot  be  formulated  within 
the  present  formal  framework  adopted  by  Task  Group  II. 


72 


<> 


II.  SFFECTXVEI'IESS  EVALUATION  3Y  TASK  ANALYSIS  DESIGNATOR  NUMBERS 


1.0  IISSIOII  DSFIIUTIOI! 

1.1  Functional  Definition  of  Mission 

Any  missile  of  an  ICBM  fleet  should  be  ready  to  accept  a  launch  directive  at 

a  random  point  in  time,  or  at  an  arbitrary  time  after  an  initial  warning  has 

been  received  at  a  random  point  in  time.  It  should  then  launch  successfully 

2/ 

within  a  prescribed  reaction  time,— fly  a  ballistic  trajectory,  penetrate, 
arm,  fuse,  impact  within  the  prescribed  target  area,  detonate  and  yield  as 
planned  with  a  prescribed  probability  of  target  kill. 


1.2  System  Requirements 

The  basic  numerical  criteria  used  in  guiding  the  design  of  ICBM  fleets  is 
given  in  a  document  called  "Specific  Operational  Requirements.*  For  example, 
the  Atlas  and  Titan  I  fleet  requirements  are  given  in  S0R-104. 

For  our  example  analysis  we  shall  assume  that  the  SOR  requires: 

Minimum  Objective 

accept,  value  value 


Countdown  reliability 

0.8  * 

0.95' 

Flight  reliability 

0.7 

0.90 

Fleet  in  commission  rate 

0.5 

0.90 

Per  unit  probability  of  kill 

0.8 

0.9 

*  Assumed  reaction  time  of  2  l/2  hours. 

We  shall  also  assume  that  the  SOR  specifies  one  or  more  objectives  of  the 
following  nature: 


2/  Multiple  launch  attempts  with  repair  of  aborts  is  permissible. 


73 


.  Crisis  criterion: 

Maximize  the  number  of  missiles  available  for  launch. 

.  Cold  war  criteria: 

.  Fixed  budget  criterion: 

Maximize  target  coverage  within  a  fixed  allocation  of 
resources . 

.  Per  unit  cost  criterion: 

Maximize  target  coverage  per  dollar  consumed. 

.  System  efficiency  criterion: 

Minimize  the  dollars  required  to  obtain  a  specified  target 
kill  probability 

It  should  be  noted  that  these  criteria  define  acceptance  and  objective  levels 
and  a  course  of  action.  They  do  not  necessarily  specify  Figures  of  Merit. 


However,  the  SOR  probably  should  specify  one  or  more  Figure  of  Merit  to  be 
used  in  assessing  the  developed  system.  We  shall,  therefore,  assume  that 
our  hypothetical  SOR  requirements  are  based  upon  the  expected  number  of 
objectives  destroyed  per  squadron  when  an  execution  directive  is  given  at  a 
random  point  in  time  and  three  missiles  are  targeted  per  objective. 

2.0  SYSTEM  DESCRIPTION 
2.1  General  Configuration 

The  system  is  a  squadron.  A  sannrt-rnn  consists  of  nine  launch  sites,  each 
containing  one  missile. 


74 


I 


<f, 

< 


Each  missile  contains  the  folloi/ing  launch  critical  subsystems 

Subsystem 

Subsystem  Designator 

Re-entry  vehicle 
Guidance 
Autopilot 
Propulsion 
Structure 


A 

B 

C 

D 


Each  launch  facility  contains  the  follovTing  launch  critical  subsystems. 


Subsystem 

Subsystem  Designator 


Overhead,  door 

F 

Air  conditioning 

G 

Power  generation 
and  distribution 

H 

2 •  2  Bloch  Diagram. 

Bloch  diagrams  of  a  system  are  useful  in  sho'ring  the  organization  of  a 
system.  In  particular,  they  are  a  useful  reference  in  establishing  the  inter¬ 
faces  between  equipments  and  settling  the  question  of  redundancy.  The 
functional  flow  diagram  of  Figure  1  illustrates  the  degree  of  complexity  and 
amount  of  detail  normally  available  from  such  diagrams. 

2.3  Engineering  Drawings 

The  engineering  dra-, dings  define  the  details  of  the  hardware  of  the  system. 
From  these  drawings  information  is  extracted  to  support  the  integiated  task 
index,  unit  manning  document,  data  handbook,  provisioning  requirements  docu¬ 
ment,  equipment  running  time  line  analysis,  and  the  reliability  functional 
block  (RFB)  diagram. 


75 


FIGURE  1.  FUNCTIONAL  FLOW  DIAGRAM  OF  ATLAS  WEAPON  SYSTEM 
OPERATIONAL  GROUND  EQUIPMENT 


2 


SA  OF  ATLAS  WEAPON  SYSTEM 
IPMENT 


2.4  System  Function  Analysis 


A  system  function  analysis  (F/a)  is  a  task  oriented  analysis  of  the  time  and 
sequence  of  the  events  necessary  to  support  and  utilize  a  weapon  system.  It 
provides  the  base  line  from  which  the  equipment  running  time  line  analysis, 
integrated  task  index,  and  unit  manning  document  are  prepared.  A  function 
analysis  is  documented  as  a  set  of  configuration  control  engineering  drawings. 

The  method  is  illustrated  by  the  two  Atlas  F  series  drawings  of  Figures  2a 

and  2b. 

2.5  Physical  Factors  Summary  Documents 

These  documents  are  usually  a  series  of  design  reports  of  all  system  factors. 
Equipment  Running  T'  >■£  Line  Analysis 

-A  running  time  line  analysis  of  each  equipment  group  is  performed  for  each 
standard  tactical  operating  condition  (STOC)  implied  by  the  mission  description. 
For  example,  consider  Figure  3  which  illustrates  the  time  line  analysis  of 
a  hypothetical  re-entry  vehicle  during  countdown . 

2.7  Integrated  Task  Index 

The  integrated  task  index  of  the  system  uniquely  identifies  all  of  the  tasks 
which  must  be  accomplished  to  maintain  and  operate  the  weapon  system.  It 
lists  the  required  skill  level  (AFSC),  number  of  people  required,  sequence 
and  duration  of  the  tasks.  This  is  illustrated  in  Figure  4  for  an  Atlas  E 
Series  periodic  inspection. 


77 


78 


FIGURE  2a.  MONITOR  SITE  EWO  READINESS  (FIGURE  1 


RELIABILITY 


FIGURE  3.  TIME  LINE  FOR  REENTRY  VEHICLE  IN  S.T.O.C.  (COUNTDOWN) 


FcRFOPM  INITIAL  INSPECTION 
AND  DOCUMENT  INSPECTION 


POSITION  MISSILE  FOR  MAINTENANCE 


121.  IA  j  PREPARE  FOR  INSPECTION 


(iF  NEW  MISSILE)  PREPARE  FOR 
INSPECTION  AND  INSTALL 
LOOSE  EQUIPMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PERFORM  VISUAL  INSPECTION 
AND  NECESSARY  REPLACEMENT 


PREPARE  PROPELLANT  SYSTEM  MGE 
FOR  MISSILE 


PREPARE  ELECTRICAL  MGE  FOR 
MISSILE  INSPECTION 


PREPARE  HYORAULIC  MGE  FOR 
MISSILE  INSPECTION 


031 


PREPARE  FOR  APCHE  SELF -CHECK 


ItRFORM  A  PC  HE  SELF-CHECK 


PREPARE  MDU  FOR  MISSILE 


READ/  SYSTEM  FOR  MISSILE 
CHECKOUT 


RFORM  HYDRAULIC  SYSTEM 
CHECKOUT  (FILL  AND  BLEED  DECK  233) 


PERFORM  PROPULSION  SYSTEM 
CHECKOUT 


161.8  I  PERFORM  ENGINE  RELAY  BOX 
CHECKOUT 


PERFORM  APCHE  R*OPULSlC  N 
IGNITTERS  AND  HEATERS  CONTINUITY  TEST 


PERFORM  PU  SYSTEM  CHECKOUT  (DECK  240) 


PERFORM  PU  SYSTEM  TEST  (DECK  219) 


PERFORM  AIREBORNE  ELECTT.'CAL 
SYSTEM  CHECKOUT 


PERFORM  AIRBORNE  PNEUMATIC  SYSTEM 
CHECKOUT 


PERFORM  AUTOPILOT  SYSTEM  CHECKOUT 


PREPARE  MGS  FOR  CHECKOUT 


PERFORM  MGS  CHECKOUT 


SECURE  COUNTDOWN  GROUP  FROM  CHECKOUT 


SECURE  ALINGMENT  GROUP  FROM  CHECKOUT 


PERFORM  APCHE  AUTOPILOT  FREOUENCY 
RESPONSE  TEST  (DESK  756) 


PERFORM  INTEGRATED  A/P  IGS  TESTS 


PERFORM  PNEUMATIC  LEAK  TEST 


SECURE  FROM  INSPECTION 


SECURE  FROM  INSPECTION 


SECURE  FROM  INSPECTION 


SECURE  FROM  INSPECTION 


SECURE  FROM  INSPECTION 


SECURE  FROM  INSPECTION 


SECURE  FROM  INPSECTlON 


SECURE  MGS  FROM  CHECKOUT 


SECURE  ALIGNMENT  GROUPFROM  CHECKOUT 


PREPARE  MISSILE  FOR  TRANSpORT 


REMOVE  MISSILE  FROM  STORAGE 


asiSHsauu!!  «um  he 


mungi 


canKiniiii 


niiiivmiiii-Qiiiiiiiiiiigi 

hiiiiiiiiiiiiikiiiiiiiiiiiiI 

fliiiigmmiiiD9iiiiimiiiimimmi 

DmaimiiiiEDigiiiHiHiiimimiiKiBH 

■BBBBBBBBBBBBBBEZZEaBBBBBBBBBBBBBBBBBBBBB 

imbbbbbbbbbbbbbbbbbbbbchwbbbbbbbbbbbbbbbbbbb. 


\zzm 


IBBBBBBBBUBUBBBBBBBBBBBBBBBBBBBWBBBBBZE 

IBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBZ 

iBimiiiinmimiimiHniiiHimgiK 

iBiammHHHmmawmwHmim 


iiiiimiiHimiiim  ii|iiiiiiimmt 

IBBBBBBBBBIBBBflBBBBBBBBBBBBBBBBBBBBBBI  ■©■ 


IBBBBBBBBBBBBBBBBBBBBBBI 


IBBBBBBBBI 


IBMBHBBBBBBBIBBBJ 

IB^BKBBBBBBBIBBBI 


SECURE  COUNTDOWN  GROUP  FROM  CHECKOUT 


NORMALLY  SCHEDULED 


FIGURE  4.  SMA  MISSILE  PERIODIC  INSPECTION  - 

TASK  DURATIONS  AND  MANNING  REQUIRE 


HiiHiimmiiiiiiimiiiiiiiiiimiiimimiiimimiiiiimiiii 

:::::::3iiiiiiiiiiiiigHiiiiiiiiiiiiiii|iiiiiiiiiiiiiiiiiiiiiii!iiii 

iiiiiiisiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiimiiiiiiiii 

SSlS|lii^KlllllHnniHHIHHHIHnniHIHIIII|IHinilicJHIl| 

■miiH^isiiMiiwwiiMiwmiiBiiiimiiwmiiiimmiiii 
miiuk:iiisiiiiiiii|iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii 
|BiBii[:iaiiBBBiBBiBBiiiiiiiiiiiiiiiiBiBiiBiiiiiiiiiiBiBiBiaiiBii 

■MHBaBEZaBBBBBBflBBBflBflBBBBflBBBBBBBBBBBBBBBBBBSBBBBBBBBflBBBBBBBBBBBT 
BBB1BBBBBBZZZ3BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBI 

mbbbbbbbbbbbbcsbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbhI 

^■4iiigiK=zi^iiiiiiiiiiiiiiiiiiiiiiiiiiiii9i!ili|iii5iiui|iii 

iiiiiiiii|iiiumuimHUii=Biimiiiiiiiiiuiiimuiiimmiii| 

bbbibbbbbbbbbbbbbbbbbbbbbbbbbbbbbzobbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbI 

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBZZaBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBl 

S^H|i^HBimilllllllllHllillH^ill|llllllllllllllllllllllllHB 

IBBBBBBBBBBBBBBBBBBBBBBBB~:~EBBBBBBBBBBBBBBBBBBBBBBBBi 


MM MBi BIBB B1  BB H M MM HMMMMHHHBBBBMHMMHBBH MM  ■ 

IWMSMBlBJiMBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBZgBBBBBBBBBBBBB  ■■■■■! 

Ibbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbziibbbbbbbbbbbbbbbbbbi 

iIiii®BBBBBBBBBBBiBBiBBiBiBBBBBBBBBBBBBBBBBBBBBC--aBBBiBBiIBBiBBBlii 

BBpg5g5BBBBBBBBiBBBBBBBBBBBBBBBBBBBBBBBi|||f|BaBBZZaBB5aiBBBBBBBBBBi 

IhmmmmmmhmbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbSzzbbbbbbbbbbbbbbbbI 


111  u 


NORMALLY  SCHEDULED 


SVA  MISSILE  PERIODIC  INSPECTION  - 

TASK  DURATIONS  AND  MANNING  REQUIREMENTS 


81 


2.o  Unit  Manning  Document 


The  unit  manning  document  describes  the  skill  levels  required  and  the  number 
of  people  allocated  to  the  weapon  system. 

2.y  Reliability  Indices  Reports 

The  reliability  indices  reports  list  each  reliability  functional  block, 
identify  its  function,  and  give  its  failure  rate.  The  raw  data  from  which 
the  failure  rate  is  estimated  is  also  listed  in  the  document.  A  typical 
excerpt  is  shown  in  Figure  5. 

2. 1C  The  Data  Handbook 

As  the  system  is  developed,  a  running  estimate  of  each  of  the  pertinent  system 
parameters  is  maintained. 

2 . U.  Provisioning  Requirements  Document 

The  number  of  items  of  support  equipment  and  the  allocation  of  spares  is 
documented . 

2 •  -1-2  Cost  Indices  Document 
(Not  pertinent  to  this  technical  document.  ) 

2.1j  RFB  Diagram 

Each  equipment  group  is  subjected  to  a  detailed  reliability  analysis.  The 
resultant  reliability  functional  block  (RFB)  diagram  shows  the  inputs  to  each 

equipment  block,  the  outputs  of  each  equipment  block,  find  the  internal 
relations  of  each  equipment  block. 

Figure  6  illustrates  such  a  diagram  for  a  hypothetical  re-entry  vehicle. 


82 


RELIABILITY  FUNCTIONAL  BLOCK  DIAGRAM 


FIGURE  6.  TYPICAL  RFB  DIAGRAM  (SUBSYSTEM  A,  REENTRY 
VEHICLE  DURING  COUNTDOWN) 


84 


2.14  Weapon  System  fungaary 

It  is  assumed  that  the  eleven  tasks  indicated  above  have  been  satisfactorily 
completed  to  produce  a  weapon  system  summary  document.  For  the  present 
example,  we  assume  the  following  summary. 

,  3/ 

2.14.1  Delineate  the  STOCT~  and  Their  Time  Lines  by  Subsystem 

The  STOC  for  a  launch  site  are 

4 / 

.  EWO  —  readiness 
.  Guidance  checkout 
.  Re-entry  vehicle  recycle 

.  Periodic  checkout 
.  Countdown 
.  Return  to  standby 
.  Flight 

Topical  time  lines  are  illustrated  by  Figures  3  and  4. 

2.14.2  Delineate  Targeting  Policy 

A  squadron  is  targeted  on  three  objectives,  three  missiles  to  an  objective. 

2.14.3  Delineate  Physical  Factors 

The  launch  site  may  be  regarded  to  be  impervious  to  countermeasures  except 
when  the  overhead  door  is  open.  (Consider  ground  invulnerability  to  be 
unity. ) 

For  the  class  of  target  considered,  the  warhead  exhibits  a  unity  damage  function. 

The  cross  range  and  down  range  miss  distances  arising  from  errors  of  the  gui¬ 
dance  system  are  normally  distributed  and  independent. 


2!  Standard  Tactical  Operating  Conditions 
4/  Emergency  War  Order 


85 


The  probability  of  propellant  depletion  is  zero  for  the  target  ranges  used. 


Under  tactical  launch  conditions  two  launch  attempts  may  be  made,  since  each 
site  stocks  sufficient  spares  to  repair  one  countdown  abort.  No  retargeting 
capability  exists. 

The  reliability  and  performance  capability  of  the  communication  system  is 
unity. 

Penetration  probability  is  unity. 

2.1'!.':-  Delineate  Personnel  Composition 

Each  squadron  is  supported  by  four  maintenance  crews.  A  crew  works  an  eight 
hour  shift  with  every  fourth  day  off.  During  emergency  conditions  not  lasting 
longer  than  one  week  all  crews  may  he  put  on  twelve  hour  duty,  two  crews 

operating  simultaneously.  Maintenance  equipment  is  redundant  to  this  extent. 
It  requires  a  full  crew  to  maintain,  checkout,  and/or  repair  a  failed  missile 
or  launch  facility.  Scheduled  maintenance  does  not  create  queuing  problems. 

Each  launch  site  is  fully  manned  twenty- four  hours  a  day. 

2.1*:-. 5  Delineate  Maintenance  Policy  Types  and  Tine  Linos 

Each  launch  site  is  maintained  using  a  hybrid  maintenance  policy.  Sub¬ 
systems  G  and  H  are  continuously  monitored  and  enter  unscheduled  maintenance 
when  a  failure  Is  indicated  by  malfunction  lights.  Repair  is  by  remove  and 
replace  and  requires  a  mean  time  of  one  day.  Subsystem  A  is  an  unmonitored 
system  which  is  replaced  once  a  year.  The  time  for  replacement  is  constant 
and  takes  one  day. 

Subsystem  B  is  periodically  checked  after  standing  on  alert  for  ten  days.  The 
duration  of  the  checkout,  when  it  is  all-go,  is  one  hour.  The  system  can 
be  returned  to  alert  in  ten  minutes  from  any  point  in  all-go  checkout.  The 

mean  time  for  repair,  which  is  by  re  ;ove  tmid  replace,  :.s  of  yu  hour’s. 


86 


Subsystems  C,  D,  E,  and  F  stand  on  alert  for  thirty  days .  At  the  end  of 
thirty  days,  a  checkout  requiring  0.6  day  is  performed.  The  system  is 
off  alert  during  this  time.  Repairs  are  by  remove  and  replace. 

.  Spares  are  unlimited. 

.  Deployment  of  the  squadron  is  such  that  travel  time  for  unscheduled 
maintenance  is  negligible  compared  to  the  duration  of  maintenance 
activity. 

,  .  5/ 

.  At  irregular  intervals  TCTO  must  be  accomplished  (off  alert).— 

.  Scheduled  maintenance  does  not  create  queuing  problems. 

Figures  7  through  13  illustrate  the  time  lines  for  each  subsystem  main¬ 
tenance  policy  and  the  values  of  the  parameters. 

3.0  SPECIFICATION  OF  FIGURES  OF  MERIT  (F.O.H. ) 

The  various  figures  of  merit  useful  in  making  decisions  for  or  against 
system  alterations  and  for  use  in  targeting  are,  in  order  of  increasing 
detail; 


3.1  E  =  A'  [D]  C  =  ejected  targets  destroyed  per  squadron 

3-2  [D]  =  dependability  matri::  per  squadron 

3-3  C  =  System  capability  vector 

3.^  A  =  Squadron  availability  vector,  and  X'  is  its  transpose 

3.5  Relative  subsystem,  site,  squadron  rani;  by  reliability  indices  by 
mode  of  operation 

3.6  Relative  subsystem,  site,  squadron  rani;  by  availability  indices 

3.7  Relative  subsystem,  site,  squadron  rani;  by  consumption  rate  by  node 

of  operation 

3.8  Relative  subsystem,  cite,  squadron  rani;  by  r.epair  time 

3.9  Relative  subsystem,  site,  squadron  rani:  by  lag  time 

3.10  Relative  subsystem,  site,  squadron  rani:  by  duration  of  go  checkout 

3.11  Relative  subsystem  rani;  by  test  quality  and  coverage  by  mode  of 
operation. 


5/  Time  Compliance  Technical  Order. 


37 


38 


FIG 


FIGURE  10.  EQUIVALENT  TIME  LINE  FOR  THE  If.h  SUBSYSTEM 
OF  THE  JOINT  MAINTENANCE  POLICY  FOR 
SUBSYSTEMS  C,  D,  E,  AND  F 


91 


I 


W*3 


PARAMETER 

SUBSYSTEM 

H 

G 

1 

1  DAY  * 

1  DAY  * 

1 

"2 

® 

® 

1 

" 3 

® 

® 

l/« 

10  DAYS 

500  DAYS 

1/. 

ir  ays 

2  DAYS 

lAd 

5  DAYS 

50  DAYS 

1AU 

100  DAYS 

® 

1  DAY 

1  DAY 

•  INCLUDES  APPROXIMATELY 
1/2  DAY  LAG  TIME 
DUE  TO  QUEUING 


FIGURE  11.  TYPICAL  TIME  LINE  OF  A  CONTINUOUSLY  MONITORED 
SYSTEM  SHOWING  DWELL  TIME  IN  VARIOUS  STATES 
(SUBSYSTEMS  G  AND  H) 


92 


<4 


93 


JSSIBLE  STATE  TRANSITIONS  FOR  CONTINUOUSLY  MONITORED 
STEMS  SHOWING  RATES  OF  TRANSITION  (SUBSYSTEMS  G  AND  H) 


FIGURE  13.  TIME  LINE  ANALYSIS  OF  TCTO 


» 


The  calculation  of  o.I  shall  reflect  the  conditions  of  l.C  and  £.0  In  the 
present  memorandum  only  the  highest  level  F.O.M.  (No.  j.l)  will  be  considered 
since  all  other  F.O.M.  are  obtained  as  intermediate  by  products  of  proper 
data  processing. 

4.0  ISKliTIFIC-vCIO:-  OF  ..OCOu  FACVC'do 

Hie  total  number  of  factors  which  must  be  accounted  for  are  determined  by 
the  system  complexity  and  the  nature  and  detail  of  the  questions  which  it  is 
expected  must  be  answered  by  the  modeling  effort. 

It  is  convenient  to  group  the  areas  of  consideration  under  four  headings: 

Personnel 

Procedures 

Hardware 

Logistics 

4.1  Define  Level  of  Accountability 

The  degree  of  accountability  (in  this  example)  places  the  least,  accountable 
level  at  a  subsystem,  and  the  highest  accountable  level  at  a  squadron. 

The  depth  of  detail  to  be  accounted  for  is  specified  in  the  following  four 
sections.  Each  factor  is  to  be  explicitly  accounted  for  in  the  structure  of 
the  model  by  subsystem,  by  site,  and  by  squadron. 

4.2  Hardware 

The  models  shall  reflect  the  possibility  of  four  failure  stress  levels  for 
periodically  checked  subsystems  depending  upon  the  modes  of  operation: 

.  Alert 

.  Checkout  and/or  countdown 
.  Flight 

.  Demating 

The  model  shall  also  reflect  the  possiblity  of  inherently  undetectable 
failures. 


95 


Procedures 


The  model  shall  specifically  account  for  at  least  the  following  properties 
of  a  test 

.  Test  coverage 
.  Test  error 

.  false  alarm 
.  Oversight 
.  Test  duration 
.  On  alert 
.  Off  alert 

4.4  Personnel 

The  model  shall  reflect  the  possibility  of  queuing  in  unscheduled  maintenance 

due  to  insufficient  personnel. 

The  model  shall  not  explicitly  differentiate  between  inherent  failures  and 
human  induced  failures. 

The  model  shall  not  explicitly  differentiate  procedural  errors  from  human 
errors . 

4.5  Logistics 

The  model  shall  specifically  account  for  lag  time  due  to  transportation  delays 

6/ 

and  the  deployment  of  the  launch  sites.— 

The  model  shall  specifically  account  for  spares  provisioning.  - 


6/  Zero  by  assumption  since  time  did  not  permit  an  analysis. 
7/  Accounted  for  in  launch  probability  only. 


96 


Specify  Data  Constraints 


k.b 

Data  shall  be  obtained  as  a  result  of  the  normal  routine  of  system  checkouts, 
maintenance  actions,  and  repairs.  Data  from  existing  data  systems  shall  be 
utilized  to  the  maximum  degree  possible. 

Suecial  field  exercises  shall  be  kept  to  the  minimum  consistent  with  ob- 

8/ 

taining  accurate  estimates  of  crucial  parameters.— 

Field  data  shall  be  supplemented  by  depot  and  qualification  testing  results 
wherever  possible. 


8/ 


ike  question  of  confidence  levels  and  intervals 


not  treated  herein. 


97 


5.0  MATHEMATICAL  MODEL  CONSTRUCTION  - 
5.1  Assumptions 

.  The  failure  distribution  which  holds  during  standby  is  an  exponential 
distribution . 

.  The  failure  distributions  in  checkout,  countdown,  and  flight  my  be  bi¬ 
nomial,  exponential,  or  both. 

.  The  means  of  all  distributions  are  finite. 

.  Subsystems  fail  independently. 

.  Test  errors  are  binomially  distributed. 

.  The  launch  sites/missiles  are  a  homogeneous  population. 


5.2  Definitions  and  ay  fools 

The  folloiring  definitions  and  symbols  hold  throughout  the  analysis. 


A  is  the  availability  vector.  A'  is  its  transpose. 

A.  is  the  ith  element  of  A. 

1 


A  [t]  total  system  readiness  expressed  as  a  function  of  time  t. 
s 

A  L'3]  total  system  readiness,  limiting  value  as  t  - >  «  . 

s 

Ajt]  apparent  readiness  expressed  as  a  function  of  time  T  . 


C 


wi 

Cn 

°1; 

[D] 
d.  . 


is  the  design  capability  (performance )  vector, 
is  an  element  of  C. 

is  the  combination  of  n  things  taken  k  at  a  time, 
system  dependability  matrix, 
element  of  [D] . 

the  rate  of  detection  of  failures  of  the  inherently  detectable 
in  principle  class. 


9/  The  principles  used  in  this  section  are  discussed  in  Appendix  I. 


I 

^  i' 


98 


c:  The  expected  kill  as  a  function  of  the  number  of  missiles 

targeted  per  objective,  other  parameters  held  constant. 

E  Tiie  expected  kill  per  squadron  (system  effectiveness,  defined 
to  be  a  function  of  readiness,  reliability,  and  design 
capability) . 

f  [Rq]  Conditional  delivery  probability.  The  probability  of  successful 
flight  and  penetration  to  the  target  area;  given  a  successful 
launch  and  no  gross  malfunction  of  any  part  of  the  system. 

A  measure  of  system  performance  excluding  reliability  and/or 

readiness . 

i;  i  i  is  the  logical  inaication_of  the  entrance  of  subsystems 
C,  D,  E,  or  F  into  repair,  i  is  the  logical  negation  of 
i;  i.e.  checkout  is  go. 

L  Rate  of  termination  of  launch  attempts  irrespective  of  manner 
of  termination,  but  excluding  enemy  counter  measures . 

PiCF]  Is  the  mean  likelihood  that  the  ith  subsystem  will  fail  to 

pass  the  test  during  checkout,  (periodically  tested  subsystem) 


PCD[«]  The  probability  of  successful  launch  on  the  first  attest 
without  regard  for  duration. 

Pc  [t/CD]  The  probability  of  successful  launch  on  the  first  attest  in 

w  time  t  or  less;  given  that  the  launch  is  successfully 

completed. 


P^  The  probability  that  all  of  the  equipment  characteristics 
c  which  aje  monitored  during  a  periodic  checkout  will  survive 
the  checkout;  given  that  they  were  unfailed  at  entrance  to 
checkout.  Failure  of  any  such  characteristic  is  termed  to 
be  "inherently  detectable  in  principle." 


P^  The  probability  that  the  inherently  detectable  equipment 

c.  characteristics  survive  checkout  up  to  the  point  of  test 

decision;  given  that  they  are  nonfailed  at  entrance  to 
checkout . 

P^  The  probability  that  the  inherently  detectable  equipment 
cg  characteristics  survive  the  demating  process  post  checkout 

test  decision;  given  that  they  were  passed  and  were  actually 
nonfailed  at  the  test  decision  point. 


99 


Hie  probability  that  the  inherently  detectable  equipment 
characteristics  survive  the  expected  waiting  times  Tr  and 
T  given  that  they  were  unfailed  at  completion  of  1 
r2  checkout  and  repair  respectively. 


p  The  probabj 11 ty  that  the  inherently  detectable  equipment 
s  characteristics  survive  the  standby  period;  given  that  they 
were  unfailed  at  the  time  of  assignment  to  standby. 


The  weapons  effect  damage  function;  expressed  as  a  function 
of  the  radial  miss  distance  R. 


System  flight  reliability. 

Guidance  accuracy  dispersion. 

The  mean  likelihood  that  the  ith  unit  is  nonfailed;  given 
that  it  is  assigned  "UP"  . 


P . [G;  t  ]  Hie  probability  that  the  ith  unit  is  nonfailed  at  entrance 
Sk  to  standby. 


Pk  Unit  probability  of  kill. 

Pk[T]  The  probability  that  exactly  k  units  are  "down"  t  units 
"  of  the  time  after  initiation  of  an  alarm  condition.  Down 

means  in  repair  or  awaiting  repair. 

Pl[t]  Hie  probability  of  launch  for  one  or  more  successive  attempts . 
7  is  measured  from  the  initiation  of  first  attempt. 

PlO]  The  limiting  value  of  P^Ct]  as  t  — *•»  00  . 

PNPD^rO^  '^ie  probability  of  no  propellant  depletion  expressed  as  a 

function  of  target  range  r^. 

Pp  Penetration  probability. 

P^  [t]  Probability  of  being  up  and  bad,  (failed)  but  detectable  in 
d  principle  at  time  t. 

Pyjj  [t]  Probability  of  being  up  and  bad,  and  not  detectable  in  prin- 
u  ciple  at  time  t. 

P^[t]  Probability  of  being  "down"  (assigned  to  repair),  but  "good" 
(nonfailed)  at  ^xme  t. 

Pdb  frl  Probability  of  being  down  with  a  detectable  class  of  failure 
aod  at  time  t. 


lOt) 


[t] 


[t] 


R 


UCD 

V 

t 


t 

c 


t 

c 


t 


Probability  of  being  down  with  an  undetectable  class  of 
failure  at  time  t. 

Probability  of  being  "up”  (assigned  to  service)  and  "good" 
(nonfailed)  at  time  t. 

The  probability  that  all  of  those  equipment  characteristics 
which  are  not  monitored  during  a  periodic  checkout  will  sur¬ 
vive  the  checkout;  given  that  they  were  unfailed  at  entrance 
to  checkout.  Failure  of  any  such  characteristic  is  termed 
to  be  "inherently  undetectable  in  principle." 

The  probability  that  the  inherently  undetectable  equipment 
characteristics  survive  checkout  up  to  the  point  of  test 
decision;  given  that  they  were  unfailed  at  entrance  to 
checkout. 

The  probability  that  the  inherently  undetectable  equipment 
characteristics  survive  the  demating  process  post  checkout 
test  decision;  given  that  they  were  passed  and  unfailed  at 
the  point  of  test  decision. 

The  probability  that  the  inherently  undetectable  equipment 
characteristics  survive  the  expected  waiting  times  T  and 
Tr  ;  given  that  they  were  unfailed  at  the  completion1! 
r2  of  checkout  and  repair  respectively. 

The  probability  that  the  inherently  undetectable  equipment 
characteristics  survive  the  standby  period;  given  that  they 
were  unfailed  at  the  time  of  assignment  to  standby. 

Warhead  yield  function. 

Target  range. 


Target  miss  distance  measured  radially  fro; a  the  target  to 
the  point  of  impact 

Reliability  of  the  ;ltl:  subsystem  in  countdown. 
Reliability  of  the  ILL  subsystem  in  flight. 

Lethal  radius  of  warhead. 


Time 

Duration  and  mean  duration  of  checkout,  respectively. 
Duration  of  countdown. 


t^j  Duration  and  mean  duration  of  down  tine  ,  respectively. 

tg;  t  Duration  and  mean  duration  of  standby  time,  respectively, 

t^;  t  Duration 'and  mean  duration  of  up  time,  respectively. 


3 


*00 

X 


Duration  of  a  constant  duration  checkout. 

Duration  of  the  first  and  second  half  of  checkout  when 
constant . 

Remove /replace  time  for  ith  subsystem  repair. 

Expected  time  awaiting  reassignment  to  standby  for  the  ith 
subsystem  after  successful  completion  of  checkout  and  repair, 
respectively. 

Constant  standby  duration. 

Unit  step  at  t  =  x  . 

Periodic  maintenance  -  the  probability  of  false  alarm. 

Continuous  monitoring  -  the  rate  of  false  alarms. 

Periodic  maintenance  -  the  probability  of  passing  a  failed 
characteristic  of  the  inherently  detectable  in  principle 
class . 

Delta  dirac  at  t  =  x. 

System  failure  rate  of  the  continuously  monitored  subsystems 
during  standby. 


\q  Rate  of  occurrence  of  TCTO  actions. 

\T  System  failure  rate  during  countdown. 

ii 

X^  *  Failure  rate  of  the  inherently  detectable  characteristics  of 
s  the  ith  subsystem  during  standby. 

X  *  Failure  rate  of  the  inherently  undetectable  characteristics 
Us  of  the  ith  subsystem  during  standby. 


p,  Equivalent' system  repair  rate  for  aborted  countdowns. 
Uq  Rate  of  completion  of  TCTO  actions 


102 


I 


Periodic  maintenance  -  probability  of  successful  repair. 

Continuous  monitoring  -  the  rate  cf  successful  repair. 

Periodic  maintenance  -  the  probability  of  leaving  repair 
with  a  failure  of  the  inherently  detectable  in  principle 
class. 

Continuous  Monitoring  -  The  rate  of  leaving  repair  with  a 
failure  "of  the  inherently  detectable  in  principle  class. 

p,  Periodic  maintenance  -  The  probability  of  leaving  repair 
with  a  failure  of  the  inherently  undetectable  in  principle 
class. 

Continuous  monitoring  -  The  rate  of  leaving  repair  with  a 
failure  of  the  inherently  undetectable  in  principle  class. 

' j  Indicates  continued  product. 

ct  Standard  deviation. 

t  Time  duration. 


<» 

o 


1-03 


5.3  Delineation  of  Possible  Outcomes 

.  Total  failure  (full  target  survival) 

.  Not  ready  to  enter  countdown. 

.  Aborts  countdown. 

.  Catastrophic  failure  in  flight. 

.  Destroyed  by  counter  measures. 

.  No  yield. 

.  Falls  outside  target  area. 

.  Partial  failure  (or  success):  (incomplete  target  destruction.) 

.  Falls  wide  of  target  with  proper  yield. 

.  Falls  on  target  with  low  yield. 

.  Total  success  (target  destroyed). 

5 . 4  Delineation  of  System  States 

luring  the  prealam  condition  of  system  readiness,  availability  is  calcu¬ 
lated  under  the  assumption  that  each  subsystem  of  each  site  can  occupy  any 
one  of  si::  basic  states,  namely: 

.  up  and  nonf ailed 
.  up  and  failed  detectably 
.  up  and  failed  undetectably 
.  down  and  nonfailed 
.  down  and  failed  detectably 
.  down  and  failed  undetectably 

In  addition,  there  is  an  overall  system  administrative  state,  namely: 

.  down  in  TCTO 

Since  there  are  five  launch  critical  subsystems,  there  are  7^  possible 
launch  sites  states  (l6,0O7  states).  Since  there  are  nine  launch  sites  to 


104 


be  considered,  the  squadron  can  theoretically  occupy  any  one  of 


rw-r-1 


r  =  1o,807 

m  =  9 


16,815! 
16,80619!  ' 


on  the  order  of  10 


31 


basic  states.  The  remissible  state  transitions  are  shown  in  Figure  12. 


In  the  post  alarm  environment  one  additional  state  is  accounted  for,  namely; 
down  and  in  queue 


<v 


3 

A*- 


Brief  attention  is  given  to  multiple  tactical  launch  attempts.  For  this 
calculation  the  l6,807  basic  states  of  a  launch  site  are  subsumed  into 
seven  gross  states: 

.  on  alert  and  nonfailed  at  the  tine  of  receipt  of  the  launch  directive. 
.  on  alert,  but  failed,  at  the  tine  of  receipt  of  the  launch  direeoive. 

.  in  repair  out  of  countdown  entered  upon  receipt  of  launch  directive. 

.  in  repair  at  time  of  receipt  of  launch  directive. 

.  counting  down  after  first  aboi’t  or  after  repair  that  was  being  com¬ 
pleted  at  tine  launch  directive  was  received,  called  final  countdown. 

.  launched . 

.  aborted  out  of  final  countdoim. 


These  states  and  the  permissible  state  transitions  are  shown  in  Figure  3-1  of 
Appendix  II. 

The  dependability  matrix  identifies  8l  system  states,,  each  of  which  corres¬ 
ponds  to  the  probability  that  if  i  missiles  are  available  when  the  execu¬ 
tion  directive  is  received  at  a  random  point  in  tine,  j  of  them  will 
successfully  launch,  fly,  and  impact  within  the  specified  target  area. 


105 


5*5  Availability 


5* 5*1  System  Models 

5. 5* 1.1  The  Availability  Vector 

If  we  denote  the  availability  of  any  member  of  the  squadron  by  A  [<■>]  or 

J  s 

A  [t1  where  the  first  symbol  refers  to  steady  state  availability  and  the 
second  symbol  refers  to  transient  (augmented)  availability  then  the  availa¬ 
bility  vector  is  given  by 


A9 

A8 


(2) 


where 


=  <  (A,[>or(i-AgM) 

iv  S  o 


or 


\  (As[t])1:  (1  -  As[t1) 


\9-k 


(3) 

(4) 


The  components  of  A  are  read  "The  probability  that  exactly  i  missiles 

of  the  squadron  are  available." 


5 . 5 . 1  •  2  Composite  Steady  State  ilodel 

Total  missile/launch  site  availability  may  be  expressed  in  the  steady  state 
by; 

As|>]  -  A^[”j  ag-°]  AgL”]  ACDEF^^ 


106 


where, 


'•O'  '■ 


u-v 


r‘CDE? 


Inpact  of  TCTO  on  availability 
Availability  oi’  re-entry  vehicle 
Availability  of  guidance 

Joint  availability  of  autopilot,  propulsion,  structure, 
and  overhead  door 


Availability  of  air  conditioning 

Availability  of  power  generation  and  distribution 


Alert  Degradation  due  to  TCTC 

It  is  assumed  that  the  only  effect  of  a  TCTO  action  is  to  remove  the  launch 
site  from  alert.  The  time  between  TCTO  actions  (t^)  is  distributed  with 
density  function; 


W  - 


-XAt 
0  s 


(6) 


The  durations  (t  )  of  TCtO  actions  are  distributed  with  density  function; 
c 


PcW 


y- 


o 


t 

c 


(7) 


The  system  availability  due  to  TCTO  actions  is  therefore  given  by. 


V"]  ■ 


t  -i-  t 
s  c 


—  r  -Vs  i 

*S  -  J  e  dts  -  XT 

0  u 


t  r  *«.  1 

t  =  e  dt  =  — 

c  J0  c  ^0 


(8) 

(9) 


(10) 


107 


where 


t  =  Mean  time  between  TCTO  actions, 
s 

t  =  Mean  duration  of  TCTO  actions . 
c 

The  Joint  Availability  of  Subsystems,  C,  D,  B,  and  F 

The  weapon  system  summary  (2.l4)  indicated  that  subsystems  C,  D,  E,  and  F 

3tand  in  readiness  for  the  same  time  interval  T  ,  at  the  end  of  which  time 

s 

they  enter  checkout.  If  the  checkout  is  "go"  for  all  subsystems,  the  check¬ 
out  duration  is  Tq.  Checkout  and  repair  of  the  subsystems  is  conducted  in 
parallel.  Each  subsystem  is  assigned  up  when  its  repair  or  checkout  is 
complete.  The  last  system  up  defines  the  point  cf  entry  in  T  for  all 
four  subsystems. 


A  typical  time  line  of  this  joint  maintenance  policy  is  shown  in  Figure  9 
The  equivalent  time  line  for  any  given  one  of  the  subsystems  is  shown  in 
Figure  10.  It  will  be  noted  that,  in  general,  there  will  be  an  expected 
waiting  time  Tr  or  Tr^  on  each  maintenance  cycle  during  which  the 
ith  subsystem  is  on  alert,  but  one  or  more  of  the  remainder  of  the  subsystems 
is  down.  This  waiting  time  must  be  accounted  for  in  the  structure  of  the 
model. 


Accordingly,  we  have, 


01  = 


IT  PjGjt  ] 

i=C  1  Sk 


F 

-  '  (\  1  +  \  i)  T 

L.  '  S  U  '  SV 

i=C  I 


1  -  e 


CDEF 


(ID 


T  +  t. 


108 


where, 


HjVb1)  Pj  1  pu  4(l  -  (l-"1)  Pd  1  Pa  1  Pa  H 


Pi[G'  tS  ] 

k 


r2  r2 


1  J  (12) 


where 


Denote 


1  -  P,  1  P .  1  P  1  P  1  P  *. 
d  d  u  u  u  d 
s  c  s  c  r^  r^ 


1  pA  1  (l-or1)  j  A 


=  1 +  (d-ori-ei)(i-»i2i)  Pd  1  -  (I-*1)  Pd  1  Pd  1  f  Pd  1  Pd  1 
L  r2  c2  rl  ‘  8  cl 


1  -  P,  [F] 


(13) 

(.U) 


T=i-  p1Cf] 


Then, 


pTF]  =  i  (l-g1)  J  1  -  (l-a1)  P  1  Pd  1  V. 

j  s  c 


i 

-x  ! 


(15) 


(16) 


l  or 


and  for  the  Inequalities  given  in  the  weapon  system  summary  (2.14). 


and 


t.  =  DEI  +  E(T  E  +  TE)  +  D  E  (T  D+TD)+DEFTF  (17) 
a.  c  r  r  r 

Tr  C  =  D  E  (Tc  D  +  Tr°  -  Tc)  +  E  (Tc  E  +  TrE  -  Tc)  +  D  E  F  TyF  (18) 
1-1  +  5  I  P  (0)  1 

T  C  =  DEF(T  -  T  C-TC)  +  E(T  E+TE-T  C-TC)  (19) 
r£  '  c  c1  r  c1  r  r 

+  I  D  (T  D  +  I  D  -  I  C  -  T  °)  +  D  E  F  (T  +  T  ' *'  -  T  C  -  T  C) 
r  Ct  t  c  r  i 


=  E  (T^E  +  TrE  -  Tc)  +  I  F  t/  +  I  F  (0) 

Tr2D  “  E  (TClE  +  TrE  -  TClD  "  TrD)  +  E  <°> 

*r  E  =  D  (Tc  °  +  Tr°  -  Tc)  +  D  F  TrF  +  D  F  (0) 

T  E  =  0 

r2 


(20) 

(21) 

(22) 

(23) 


T  =  E 
rl  -l 


(T  E  +  T  E  -  T  )  +  E  D  (T  D  +  T  D  -  I  )  +  D  I  (0)  (24) 
C-,  r  c  c,  r  c 


'l 

F\  5=1  TX  D  .  „  D  m  m  F\ 


T  F  =  E  (T  E  +  T  F  -  T  ■  T  ')  +  E  D  (T  u  +  T  "  -  T  -  T ')  (25) 
i*  'c  r  c  j»  *  '  c  r  c  p  »  ' ' 


+  D  E  (0) 


See  Appendix  III  for  derivations 


109 


where,  as  a  typical  example, 

-XC(T  °  +  T  °  -  T  )  -X  C(T  E  +  T  *  -  T  ) 

s'c  r  c  svc.,  r  c 

P  C  =  DEe  1  +  E  e  1  ,(2i) 

rl  C  * 

1  _  -X  C  T  1 

+  D  iV  e  s  r  +DEF 


_  -X  C(T  -  T  C  -  T  C) 

?d  C  =  D  E  F  e  3  C  C1  r 

2  -X  C  (T  E  +  T  E  -  T  C  -  T  C) 

+  E  e  3  C1  r  1  r 

-XC(T  °+TD-T  C-TC) 
+  EDe3  C1  r  C1  r 

-X  C  ('f  +  T  F  -  T  C  -  T  C) 
=  s'c  r  c,  r 

+  D  E  F  e  1 


The  Availability  of  duo systems  a,  3,  G,  and  1 

The  system  models  for  the  availability  of  subsystems  A,  3,  G  and  II  do  not 
differ  from  the  respective  subsystem  models  for  these  sub systems . 
Accordingly,  discussion  of  these  availability  models  is  delayed  till 
Section  5*5*2. 


In  the  event  that  prior  warning  is  received,  steps  may  be  taken  to  augment 
the  availability  of  a  squadron.  Specifically,  all  scheduled  maintenance  may 
be  deferred  and  the  maintenance  crews  may  be  put  on  twelve  horn-  shifts,  two 
crews  working  in  parallel  to  take  care  of  unscheduled  maintenance. 


31 

As  noted  earlier  there  are  of  the  order  of  10  basic  system  states.  An 
equivalent  number  of  state  transition  equations  is  required  to  c;rpress  the 
possible  interactions  between  the  nine  launch  sites  and  the  two  maintenance 
crews . 


110 


I 


r 


It  is  evident  that  the  state  equation  approach  to  augmented  availability  is 
not  a  feasible  approach,  even  for  the  simple  illustrative  system  used  here. 
On  the  other  hand,  machine  simulation  methods  using  Monte  Carlo  techniques 
are  quite  satisfactory  for  this  and  considerably  more  complex  systems. 

Since  Monte  Carlo  methods  are  beyond  intended  scope  of  the  present 
document,  we  shall  use  approximations  that  will  permit  a  solution  to  be 
obtained  by  pencil  and  paper  methods . 

Divide  the  system  into  two  equipment  groups 

.  Continuously  monitored  (Subsystems  G  ar.d  H) 

.  Periodically  checked  (all  Subsystems  except  G  and  H) 

Let  it  be  assumed  that  the  system  is  returned  to  alert  from  scheduled 
activities  in  essentially  zero  tine.  Assume  that  unscheduled  maintenance 
on  Subsystems  G  and  H  is  the  only  activity  which  can  now  remove  the  system 
from  alert.  Further  acs\ime  that 

.  Repair  is  perfect  at  the  equivalent  repair  rate  — 


M-  = 


+  “cH>  »iH 

xd°  ♦  x/  ♦  + 


The  net  launch  site  observable  failure  rate  X  is 


X  =  X ,G  +  aG  +  X  H  +  cP 
d  d 


There  is  no  delay  in  detecting  failures,  i.e.. 


G  H 
e  =  e 


(28) 


(29) 


(30) 


1 V  Implies  that  only  one  subsystem  can  fail  at  a  time . 


v. 

A 

w 


ill 


The  probability  that  the  periodically  checked  portion  of  a  site  will  be 
good  t  units  of  time  after  the  warning  is  received  is  given  to  an  ex¬ 
cellent  degree  of  approximation  by; 


P 


The  queuing  equations  which  express  the  probability  [t]  that  exactly  k 
sites  will  be  down  in  the  post  warning  environment  are  given  by; 

(See  page  113) 


112 


r 


t .  j 


•o/' 


i 


113 


The  (average)  probability  of  being  up  for  any  one  member  of  the  squadron  is 
given  by 

9 

PUM  -  1  -  5  1  1  PiM  (33) 

i=l 

The  total  expression  for  augmented  availability  is  then  given  by  the  approxi¬ 
mate  expression, 


The  initial  conditions  to  be  used  in  solving  the  equation  set  (32)  are 
pJ°]  »  c  9(i-p  G[»]  p  H[»])k  (P  G[co]  P  H[-])9“k 

is,  3\  u  U  d  U 

3*5*2  Subsystem  Models 


5* 5*2.1  Re-entry  Vehicle  (Subsystem  A) 


The  Weapon  System  Summary  (2.1*0  indicates  that  the  re-entry  vehicle  is 
maintained  independently  of  the  other  subsystems  on  a  strictly  calendar 
basis  of  remove  and  replace.  Accordingly,  the  availability  of  this  sub- 
zjz  'yj. \  at  c.  random  point  in  time  is  given  by; 


-..w 


-XA(T  -  TrA)  j 
e 


(37) 


114 


I 


Tine  between  recycles  =  one  year 
Replacement  time  (constant)  -  one  day 

Probability  that  re-entry  vehicle  is  nonfailed  at  time  of 
installation 

Failure  rate  of  re-entry  vehicle 
.  ..  .2.2  Guidance  (Subsystem  B) 

The  guidance  subsystem  is  maintained  independently  of  the  other  subsystems 
on  a  slipped  schedule  basis.  Only  ten  minutes  of  the  checkout  time  is 
system  down  time.  The  expression  for  availability  is  given  by: 


<- 


1-P 


“p.  B 


u  d 


AaH  = 


;  (1-P4  \  B)/(Xd  B*  X  B)  ♦  P  %  B  [  V  =v  -  (TcB)'j 
k  ss  ss  s  s  uc  uc 


-X.  B  T  B 

rd  B  -  e  d=  S 

-X  btb 

r.  US 

P  B  =  e  s 

u 

s 


T  B  +  T  B  +  PjF]  (T  B  -  T 
s  c  B  '  r  c2' 


^(1-3®)  l-(l-aB)Pd  %  B 


s  c 


B  ;  3k  1  -  P  Bp  Bp  *P  B  (l-crB)  1  +  "0.-aB-3B)(l-p.bB) 

d  d  u  u  •  5 


(38) 

(39) 

(*0) 

m 


s  c  s  c 


-  <1  -  °B)  Pd  B]  Pd  B  Pd  B 

s  c., 

CL  x 


FBm  ■ 


(1  -  3B);1-(1-C!B)  P  B  P  B 
X  S  C 


i  +  u  -  7  -  3B)d  -  n2B)  -  (i  -  <*B)  pd  B;  pd  B  pd  B 

c2  !  s  cl 


(^2) 


115 


5. 5*2.3  Autopilot  (Subsystem  C) 
p. 5 *2. -4  Propulsion  (Subsystem  D) 

5. 5.2. 5  Structure  (Subsystem  E) 
5.5.2 .0  Overhead  Door  (Subsystem  F) 


These  subsystems  are  treated  as  a  group  for  periodic  checkout.  However, 
each  one  could  "be  treated  seperately.  It  is  in  this  sense  that  we  nay  con¬ 
sider  the  availability  of  each  suooyste  1.  Utilizing  lie  proper  superscript 
we  have  for  each; 


pit<3;V 1(1  -  pd  %  4 

A  [co]  =  1 _ S  S _ 

1  (X.  1  +  X  i)  T  1  +  T  1  +  P. [F]  (T  1  -  T  i) 

vd  u  '  s  c  i'-JVr  c0  ' 
s  s  2 

-X  1  T  1 
i  ds  s 


fd 


s 

•.  1  T  i 

i  us  5 

Pu  =  e 

s 


(43) 


(44) 

(45) 


P,[G;t  ]  = 


H^fl  -  31)  «1  -  (1  -  a1)  Pd  iPd  1 


s  c  - 


1  sk  .1  -  P.  *T  S>  ^  1  (1  -  a1):  I  +  [(1  -  a1  -  8i)(l  -  p-p1) 

1  d  u  d  u  '  ;  \  '  2 


s  s  c  c. 


(1-“1>pd  1  ■ 

c2  3  c! 


(46) 


p^Tf] 


(l-S1)  1  -  (l-a1)  pd  1  pd  i 

s  c 


1  +  f  (l-ai-3i)(l-^pi)  -  (l-a1)  P.  i?  P„  1  P,  1 


(47) 


1 


‘d  *d 
s  c. 


•*? 

■*% 


1 16 


5.5«2.7  Air  Conditioning  (Subsystem  G) 

5. 5*2.8  Power  Generation  and  Distribution  (Subsystem  H) 

These  two  subsystems  are  maintained  independently  of  each  other  and  the 
other  subsystems.  They  are  continuously  monitored,  hence; 


p..1  eA(X  1  +  a1} 

A  M  =  - = _ — _ _ _  HiA\ 

i  7T7  i ~  i\  f  i/ i. %  i.  ±.  TT.  I  T“  ±,  T  i IT7  v ' 


(a  +\d  +Xy  )  1  e  (a  +^d+P1+  P3  )  +  a  +^d  +P2  +P3  ) 


where  i  is  G  or  "H  . 


lhls  may  also  be  expressed  os: 

i 1  p.  1 


a  r°]  .  -a — sZi 

1  -r  .  -r 


t  + 1 , 

u  d 


(*9) 


where 


■‘l  +  *2  +  ^3 


t  = 
u 


- - -  {  (r^ -  +llj  (1  +  — )  +  —  1 

A1  +  * 2+  ^3  (J \  +  “  3  6 


(50) 

(51) 


e/u 


(Xd  +  *u  +  «)  +  ^3)  (1  +  ^  +  “§} 


(52) 


with  appropriate  superscripts  on  the  parameters. 


117 


5.5*3  Apparent  Availability 

The  expressions  developed  to  this  point  yield  true  availability.  To  the 
casual  observer,  however,  the  apparent  availability  is  given  by, 


A  C°°] 
u 


u 


t  +  t 
u  d 


(53) 


A  [co] 
u 


=  apparent  availability 


t  =  mean  time  assigned  to  alert 
t ,  =  mean  time  down  in  checkout  and/or  repair 


Referring  to  the  various^subsygtems; 


A  A[»] 
u  L 


(54) 


aubM 


T  B  +  T ®  -  (Tj B)’ 


(55) 


AuCnEFM 


Au 


T  C  +  t  G 
s  d 


'M  = 


tG 

u 


t G  + 1 G 
u  d 


A  H[oo] 
u 


tH 

u 


x  H  x  H 
t  +  t, 
u  d 


(56) 

(57) 

(58) 


where  t  G'^  and  t  G'^  are  defined  by  Equations  (50)  and  (5l)» 
u  d 


118 


5.6  Dependability 

5.6.1  System  Models 


5. 6. 1.1  The  System  Dependability  Matrix 

The  system  dependability  matrix  accounts  for  that  portion  of  the  mission 
following  receipt  of  the  execution  directive.  In  the  case  of  an  ICBM,  the 
matrix  must  account  for  the  following  factors, 

.  Reliability  aspects  of  communication  and  verification  of  the  launch 
directive  (P^) 

.  Countdown  (launch)  reliability  (p  ) 

.  Repair  potential  on  aborted  launch  attest 
.  Flight  reliability  (Pf) 

It  is  assumed  that  each  of  these  factors  is  independent  of  the  others, 
hence  we  write, 

R  =  P^,  P^ 


Then  the  elements  n_. ..  cf  the  dependability  matrix  [D'i  b  a  eerie : 


dio  =  cioIj  (1  -  R)J’±  1  =  1,  2,  ...  10;  ;  >  i  <  10 

(60) 


=  0,  ,i  <  i 


missiles  of  the 
exactly  10-i  are 

5 . 6 . 1 . 2  Communi cation  Reliability 
Txiis  factor  is  unity  by  assumption. 


Those  elements  are  the  probabilities  that  exactly  10- ,5 
squadron  •.rill  survive  countdorsi  end  fliqht :  qiven  that 
available. 


5.0.1. 3  Countdown  Reliability 


The  probability  of  successfully  completing  countdown  is  assumed  to  be 
expressible  in  the  form, 


RCD^  "  PCD^  PCD^t^CD^ 


(61) 


pc:DM 


The  probability  of  successfully  completing  countdown  with¬ 
out  specific  regard  for  the  duration  of  countdown . 


PCD[t/CD]  ' 


The  probability  of  completing  a  countdown  in  time  t  or 
less;  given  that  the  countdown  is  successfully  completed. 


The  probability  of  aborting  a  countdown  is  assumed  to  be  expressible  in 
the  form, 

1  -  RcjM  =  (1  -  pcdM!  PCD[t/CD’,  (62) 


PCD[t/0D]  - 


The  probability  of  completing  a  countdown  in  time 
less;  given  that  the  countdown  is  aborted 


t  or 


Provided  that  the  launch  site  is  in  an  apparently  ready  state  (no  known  fail¬ 
ures),  it  may  enter  oountdo'sr'  on  demand.  If  countdown  is  successful,  the 

missile  will  be  launched  in  a  time  t  or  less  after  the  initiation  of 

c 

countdown.  If  the  first  countdora  is  aborted,  it  will  enter  repair  at  a  time 

t  or  less  after  the  initiation  of  countdown.  The  repair  will  be  effected 
c 

at  a  mean  rate  u  and  a  second  countdown  ^n.11  then  be  attempted  Failure 
1  c 

to  successfully  complete  the  second  countdown  terminates  the  attempt  se¬ 
quence  under  the  given  assumptions.  The  possible  state  transitions  are 
indicated  in  Figure  B-l  of  Appendix  II. 


121 


Assuming  subsystem  independence, 


P  ["“l 


H 


ir 

i=A 


(64) 


•where 


Reliability  of  the  ith  subsystem  for  the  mean  length 

of  countdoT,m. 


The  factor  P^Ct/CD]  is  usually  empirically  determined  from  demonstration 
launch  attempts. 


122 


p.S.1.4  Flight  Reliability 

The  probability  of  successfully  completing  a  flight  is  assumed  to  be  expressible 
in  the  form, 

Ff[t]  =  RfX  [t]  (65) 

i=A 

Rf,1[t]  =  The  reliability  of  the  ith  subsystem  for  a  flight 

duration  of  the  length  t. 

The  R„  [t]  are  given  by  the  subsystem  models. 

5.6.2  _  Subsystem  Reliability  Models 
5* 6. 2.1  Countdown  Models 

We  shall  illustrate  the  principle  of  subsystem  modeling  for  only  one  typical 
subsystem,  namely,  the  re-entry  vehicle  reliability  in  countdown. 


The  reliability  functional  block  diagram  for  this  subsystem  is  illustrated  in 
Figure  6.  The  time  line  analysis  of  a  standard  countdown  is  shown  in 
Figure  3.  The.  appropriate  failure  rates  are  listed  in  Figure  5. 

.  Reliability  Model 

.  The  reliability  of  the  re-entry  vehicle  during  countdown  is  given 
by  the  product  of  the  reliabilities  of  the  subsystem  functions. 

.  The  reliability  of  a  subsystem  function  is  determined  from  the 
physical  organization  of  its  reliability  functional  blocks.  By 
inspection  of  Figure  6, 


.  r(a)  =  ra>1  •  ra<2 


ra.3  '  Ra.4  ’  ra.5 


A.  7 


(66) 


.  r 


A. 8  *  RA.9  ’  t1  “  0-  “  Ha.IO.I^1  "  RA.10.2^  '  RA.12 


.  Failure  Distribution 

.  The  exponential  function  best  describes  the  failure  pattern  of 
the  reliability  functional  blocks  of  Figure  6. 


123 


-A,  .  _  T,  . 

Typically:  R  = 

c  a. 3  A.  3 

(67) 

XA.3  ■ 

0.8  x  10~6 

(from  Figure 

5) 

(68) 

'■A.  3  “ 

~  £  /"  -S 

3) 

(69) 

These  results  hold  only  for  a  standard  countdown  of  fixed  duration.  When 
the  countdown  duration  is  variable  a  modified  procedure  must  be  used.  Let 
p  [t  <  t]  "be  the  density  distribution  of  the  durations  tQ  of  countdown. 
Let 

R  [t  -  y.  ]  -•  Reliability  of  ith  RFB  in  a  countdown  of 

c  -  duration  t  . 

c 

y  -  Non-operating  time  in  countdown. 

Let  RA[t  ,  y]  =  f[R  ]  be  the  total  subsystem  reliability  function. 

C  A*  1 

Then, 


R — ~[°°]  =  J  P  Ct  3  HA[t„,  y]  4- 
J0 


CD 


r\+. 


and 


RCDA[t/CD]  =  jfa  I  Pc[tcl  .rtt.,  v]  4tc 
K  CD 


(70) 


(71) 


5. 5.2. 2  Flight  Models 


These  are  handled  in  a  manner  completely  analogous  to  the  countdown. 
(See  Section  5*6.2 ), 


5*7  Design  Capability 

5.7.1  System  Models 

5. 7.1.1  Capability  Vector 

Although  a  system  may  be  available  and  function  as  designed  during  the  mission, 
the  system  may  still  fail  to  accomplish  its  intent  due  to  a  variety  of 
factors.  In  the  case  of  an  I CBM  such  factors  may  include. 


l 


124 


l 


f 


1 


•  Communication  interferences  (noise,  blanking, etc . ) 

.  Ground  vulnerability. 

..  Penetration  probability. 

.  Propellant  depletion  probability. 

Guidance  dispersion  . 

.  Warhead  yield  (overpressure  versus  target  hardness,  area,  etc.) 


It  is  convenient  to  treat  these  factors  from  the  standpoint  of  a  design 


capability  vector  C 


.n  s 


■J-'-lG, 


3 ten  effectiveness.  In  the  ore sent 


example  we  shall  restrict  ourselves  to  a  treatment  of  guidance  dispersion 
and  the  target  damage  function,  i.e>,  the  probability  of  target  damage 
expressed  as  a  function  of  war  head  yield,  miss  distance  and  target  hard¬ 
ness.  This  will  illustrate  the  nature  of  C,  but  it  should  be  carefully 
noted  that  the  situation  depicted  is  a  considerably  oversimplified  one. 


We  shall  define  a  design  capability  vector  C  as  follows, 


4 


c  = 


(72) 


where  the  are  the  expected  number  of  sites  destroyed;  given  that  i 

missiles  of  the  squadron  are  delivered  to  the  target  areas. 


In  the  example  chosen  for  illustration  here  it  was  assumed  that  the  nine 
sites  are  targeted  against  three  objectives,  three  missiles  to  a  target. 

One  successful  war  head  detonation  within  a  lethal  radius  will  destroy 

a  target. 


I 


125 


5. 7. 1.2  Per  Unit  Kill  Probability 


We  define  the  per  unit  probability  of  target  destruction  as  follows.  Let 
the  ensemble  average  of  the  probability  of  target  destruction  when  one 
missile  is  targeted  per  objective  be  P^, 


where 


1 D  [v 


f  [R  J 

g  0J 


dR, 


(73) 


[Rq]  is  a  target  damage  density  function. 


is  the  probability  that  the  warhead  is  delivered  './ithin 
a  distance  R_  of  the  target  with  successful  warhead 
detonation  ana  planned  yield. 


•f 

g 


[R01 


p 

rNPD 


P  Trip  P  Fr  1 
rNPDL  0J  P  g  L  0J 


'  VJH 


(Im¬ 


probability  of  no  propellant  depletion  (a  function  of 
target  range,  launch  error,  propellant  reserve,  etc . ) 


P  =  Penetration  probability  (function  of  decoys  and 
P  effectiveness  of  counter  measures). 

P  =  Guidance  accuracy  dispersion. 

G 

P^  =  Re-entry  vehicle/war  head  yield  dispersion. 


126 


ft 


TABLE  I.  EXPECTED  KILL  AS  A  FUNCTION  OF  TARGETING 


Ho.  of  Ho.  of 


Detona  e&  Missiles 

Missiles/ 

'Target 

Expected  Kill 

9 

111 

111 

111 

3[1-(1-Pk(::))3] 

8 

111 

111 

11 

2[1-(1-Pk(x))3]  +  [1. 

-(1-Pk(::))2] 

7 

1 

111 

111 

1 

1.25[l-(l-P,_(::))J]  + 

A. 

1.5Cl-(l-Pv(:0 

it 

-)2i 

111 

11 

11 

+  .25Pk(:c) 

6 

111 

111 

0 

I  [l-(l-P  (x))3]  + 

1 

0)21 

111 

11 

11 

11 

1 

11 

+  h  pu(x> 

5 

111 

11 

0 

2j.  [l-(l-?1;(::)  )3]  + 

on 

111 

11 

1 

11 

1 

+  p  M 

HI 

2. 

111 

1 

0 

itl-(l-P,.(X))3]  + 

T  " 

:))2] 

11 

11 

0 

+  —  P,.(z) 

11 

1 

1 

T  * 

3 

111 

0 

0 

|y  [1-(1-P,.(::))3]  + 

I %  ti-(i-Pk(: 

O)2] 

11 

1 

1 

.1 

0 

1 

+  s 

2 

11 

0 

0 

.25[1-(1-Pk(::))2]  + 

1-5P,.(:0 

1 

1 

0 

1 

1 

0 

0 

Pk(x) 

0 

0 

0 

0 

0 

127 

*  *■ 

<4- 


12/ 


For  example  '/hen 

PD[R0j  ■  6®o-rl] 


Then 


Lethal  radius 


pu  ’  J  „(1- 


■*nV 


)  6[R0  -  Rj.]  dR0 


=  1  -  e 


~h2/*2 


(75) 


(76) 


(77) 


For  the  assumed  targeting  plan  described  earlier,  the  C  may  be  defined  in 

HI  1 

terms  of  as  follows; — - 
Cg  =  3d  -  (1-Pk)3] 
c8  =  2d  -  (i-Pk)3l  +  i  -  d-plc)2 

c?  -  i.25d  -  (i-Pk)3l  +  i-5d  -  d-Pk)2]  +  -25  p1; 


c6  -  f[1  -  +  *  T5  pk 

°5  -  -  <l-V3’  +  fCl  -  (1-pR>a;i  +  ii  pk 

c4  -  fCl  -  (1'pi:)3]  *  it1  -  <1-p/]  *  f  pk 


c3  -  U1  -  +  U1  -  (i-pk)2i  - 1  p4 

c2  =  .25d  -  (1-PjJ2]  +  1.5  P1: 


c 


l 


k 


C 


0 


0 


12/  see  5 -7 -2.1  and  5 *7 *2. 2  for  the  development  of  these  functions. 
13/  See  Table  I. 


128 


5.7*2  Subsystem  Models 


We  shall  illustrate  the  development  of  the  per  unit  kill  probability  by  con¬ 
sidering  only  two  of  the  factors  of  P,  ,  namely,  guidance  dispersion,  and  war 

a, 

head  effects.  We  shall  assume  that. 


P  =  "O 

NPD  *P 


(79) 


5. 7. 2.1  Guidance  Dispersion 

C  onsider  the  coordinate  system  of  Figure  14.  The  variables  'y  and  y  are  the 
down  range  miss  distance  and  bias  error  respectively.  They  are  measured  in 
the  "plane  of  fire"  along  a  line  tangent  to  the  earth  at  the  planned  impact 
point.  The  plane  of  fire  is  that  plane  which  is  defined  by  the  three  points; 
the  earth's  geometric  center,  the  launch  site,  and  the  planned  impact  point. 


The  variables  ::  and  ::  are  the  cross  range  miss  distance  and  cross  range 
bias  error,  respectively.  They  are  measured  along  a  line  orthogonal  to  the 
plane  of  fire  and  passing  through  the  planned  impact  point. 


It  is  usually  assumed  (or  demonstrated)  that  ,  x  -  x  and  y  -  y  are 
independent,  gauss ian  variables  of  zero  mean.  If  ox  and  a  are  the 

y 

respective  standard  deviations  of  these  variables,  then  the  miss  distance 
defined  as, 

B  k  V>;2  .  (80) 


is  distributed  as  follows, 


Vn  2  2 

vR„  -y 


P[R  <  Rq]  - 


2na  a 


\  J:  4V 


-i  - 

e  y  dxdy 


(81) 


This  function  cannot  be  expressed  in  closed  form  for  the  general  case 
although  it  is  widely  tabulated  for  specific  choices  of  the  variables. 


129 


t 


Y 

FIGURE  14,  COORDINATE  SYSTEM  OF  MISSILE  IMPACT  DISPERSION 


130 


Ml 


For  the  present  Illustration,  therefore,  we  shall  set. 


a..  = 

n  =  y  =  0 


(82) 


Then  using 


cb.dy  = 


rdrd'3 

2 

=  r 


we  arrive  at  the  circular  error  function, 

-r2/2t2 

PrR  <  Rq]  =  1  -  e 


(83) 

(84) 


.7.2.2  Point  Target  Blast  Damage  Function 

We  shall  assume  that  the  fleet  is  targeted  upon  point  targets;  that  is, 
targets  whose  area  is  small  compared  to  the  total  area  of  weapon  effect. 
We  shall  also  assume  that  of  the  three  possible  weapon  effects, 

.  Heat 
.  Radiation 

.  Overpressure  (blast  damage), 
only  the  latter  has  appreciable  affect  on  the  target. 


Under  these  assumptions,  the  target  damage  function  may  be  expressed  as  a 
function  of  three  parameters 
.  Overpressure 
.  Target  hardness 
.  Miss  distance 


In  order  to  simplify  the  example,  we  shall  assume  the  unity  damage  function; 
that  is,  the  probability  of  target  destruction  is  given  by 


VR0  < 


R] 


I  1  i  0  <  R0  <  Rl 
i  0  ;  Rq>  Rl 


(85) 


where  is  the  so  called  "lethal  radius."  Note  that  the  damage  density 


111 


function  is, 


PD[V  ■  8[Eo  -  "l3  ■ 


<!■ 


132 


6.0  DATA  ACQUISITION 


6.1  Specification  of  Data  Elements 

The  basic  infomation  from  the  field  which  is  reouired  to  estimate  the  para- 

14/ 

meters  associated  with  availability  and  countdown  reliability--^  a  chrono¬ 
logical  listing  of  the  time  (nunner  of  maintenance  cycles  from  repair  to 
repair)  by  site  and  by  subsystems;  that  is,  the  time  (number  of  maintenance 
cycles)  between  a  repair  and  the  ne:rfc  no-go  checkout.  This  data  may  be 
called  apparent  failure  data. 

In  Eiddition  to  this  apparent  failure  data,  it  is  necessary  to  record  the 
total  down  time  resulting  from  each  apparent  failure.  Total  down  time  per 
failure  is  defined  as  starting  from  the  instant  that  the  system  is  declared 
to  be  failed  and  continuing  until  reassignment  of  the  system  (subsystem)  to 
alert. 

Also  it  is  necessary  to  record 
.  alert  duration 

.  the  duration  of  an  all- go  checkout 
.  the  duration  of  a  no-go  checkout 

.  the  duration  of  time  from  the  start  of  a  test  to  the  point  in  checkout 
at  which  test  decision  is  made. 

The  evaluation  of  test  coverage  requires  a  detailed  failure  analysis  of  a 
semple  of  rejected  equipment.  Such  an  analysis  must  be  conducted  against  the 
Technical  Order  or  test  equipment  which  led  to  the  rejection  in  order  tc 
ascertain  if  any  of  the  failures  which  are  noted  during  the  failure  analysis 
could  have  been  missed  and  were,  in  fact,  not  responsible  for  the  rejection. 


1 4/  Certain  portions  of  the  launch  sequence  are  not  estimable  from  field  data. 
Flight  reliability  is  not  estimable  until  a  correlation  has  been  made 
between  ground  environmental  stresses  and  flight  environmental  stresses. 


133 


In  oriel,  the  following  information  is  required  in  order  to  evaluate  and  im¬ 
prove  the  readiness  of  systems  and  subsystems: 

.  location  (by  site  number  and  base). 

.  name  (description)  of  checkout. 

.  name  (description)  of  subsystem  or  items  or  components  etc. 

.  tine  and  data  of  assignment  to  EUO  status. 

.  time  and  date  of  entry  into  checkout  (failure). 

.  time  and  date  of  each  problem  encountered  in  checkout. 

.  description  of  each  problem  encountered  in  checkout. 

.  date  of  bench  test  of  rejected  parts. 

.  results  of  bench  test. 

.  date  of  tear-down  failure  analysis  of  rejected  parts. 

.  results  of  failure  analysis. 


6.2  Specification  of  Test  lietliodology 


Because  the  ICBii  fleets  are  operational,  no  discussion  will  be  given  of  test 
methodology  in  the  conceptual,  definition,  and  acquisition  phases.  Hie  current 
document  in.ll  restrict  itself  to  a  discussion  of  a  suitable  test  methodology 
for  the  operational  phase  of  system  life. 


In  principle,  it  is  possible  to  obtain  all  the  information  required  to  im¬ 
plement  the  effectiveness  model  developed  herein.  Jill  that  is  required  is  a 
complete  system  enercice.  That  is  a  practical  impossibility. 

The  second  best  approach  involves  a  combination  of 
.  field  testing 

.  normal  maintenance  actions 
.  impromptu  survey  inspections 
.  special  field  cnercises 
.  depot  analysis 

.  bench  test  results 
.  tear  do*/n  failure  analysis 
.  special  non-field  tests 


i 

i 


134 


.  recycle  to  depot 
.  VAZB  launches 
.  lot  acceptance  tests 

The  point  of  view  adopted  with  respect  to  field  tests  is  one  of  practical 
necessity.  The  majority  of  the  data  is  obtained  in  the  course  of  normal 
maintenance  actions  and  the  impromptu  inspections  which  are  part  of  the 
current  field  practices. 

The  validity  of  this  data  as  a  true  measure  of  the  actual  state  of  the 
fielded  system  is  not  an  assumption  which  can  be  tolerated.  Therefore,  the 
parameter  estimation  methods  of  section  7.0  make  no  such  assumptions. 

However,  those  methods  are  workable  only  when  they  are  supported  by  a  limited 
number  of  "special  field  exercises"  and  the  results  of  depot  analyses  and 
special  tests  not  conducted  in  the  field. 

The  oasic  test  methodology  to  be  employed  in  the  field  is  as  follows : 

.  the  time  between  successive  "periodic"  inspections  on  each  subsystem 
must  be  variable,  involving  at  least  three  different  standby  periods. 

.  a  limited  number  of  checkouts  must  be  repeated  twice  (three  in  a  row) 
in  a  back  to  back  to  bad;  fashion  irithout  regard  for  the  intermediate 
tests  results,  i.e.,  repair  is  not  initiated  between  tests.  This  is 
done,  of  oourse,  only  when  safety  permits. 

6.3  Specification  of  Data  Reporting  System 

Data  on  the  ICBM  status,  maintenance  actions,  and  countdown  results  are 
currently  reported  in  the  U-82,  AKI  66-1,  and  U-86  data  reporting  systems 
respectively.  A  realistic  approach  to  data  collection  requires  a  considera¬ 
tion  of  these  systems. 


135 


Hie  ur.ha  elements  specified  in  Section  6.1  above  are.  currently  obtained  hap¬ 
hazardly  b:/  means  of  these  reporting  systems  in  accordance  with  fluctuating 
schedules,  indicated  failures,  and  impromptu  inspections.  Hiis  erraticness 
is  frequently  an  asset  to  the  calculation  of  parameters.  However,  a  methodical 
variation  in  scheduled  inspections  is  highly  desirable  from  the  standpoint  of 


accuracy  of  parameter  estimation.  In  any  event,  whether  they  are  scheduled, 


or  unscheduled,  equipment  inspections  provide  information.  Hie  limitations 
and  uses  of  this  information  in  estimating  parameters  are  given  in  Table  II. 


136 


TABLE-  II-  DATA  AVAILABLE  FROM  CURRENT  AF  DATA 
REPORTING  SYSTEMS 


Items  of  Information 

U-821 2'6 

U-863'7 

AFM  66- 18 9 

location  (by  site  number  and  base) 

yes 

yes 

yes 

Name  of  checkout 

2 

no 

i 

yes 

no^ 

Name  of  subsystem 

4 

yes 

yes 

yes4 5'10 

Time  and  date  of  assignment  to  EWO 

yes 

no 

no 

Time  and  date  of  entry  to  checkout 

yes 

yes 

date  of 

Time  and  date  of  each  problem 
encountered  in  checkout 

yes 

yes 

completion 

only 

problem 

rrxly11 

Description  of  each  problem 
encountered  in  checkout 

13 

yes 

yes 

yes11 

Date  of  bench  test  of  rejected 
parts 

no 

no 

date  only*’ 

Results  of  bench  test 

no 

no 

yes'* 

12 

Date  of  tear-down  failure 
analysis  of  rejected  parts 

no 

no 

no 

Results  of  failure  analysis12 13 

no 

no 

no 

1  "by  exception"  reporting,  i .e . ,  only  when  condition  takes  site  off  alert. 

2  was  removed  from  data  system  recently  (November  1963)*  Is  scheduled  for 
return  to  data  system  vhen  checkout  S.G.C.  are  detailed  in  -06  code  books. 

3  reports  countdown  only. 

4-  through  Work  Unit  Code  correlation  only. 

5  available  for  recoverable  items  only. 

6  key  punched  for  machine  processing. 

7  not  keypunched. 

8  partially  keypunched. 

9  requires  support  general  code  of  -0 6  code  and  changes  to  T.O.-0020E-1. 

10  no  Work  Unit  Code  when  checkout  only. 

11  cannot  correlate  checkout  AFTO  forms  and  resulting  maintenance  problem. 

12  can  be  directed  by  responsible  AHA  as  a  special  task  for  problem  areas. 

13  problem  —  frequently  cannot  be  correlated  to  checkout  data. 


137 


The  following  are  currently  know  deficiencies  of  these  data  systems: 

.  Alert  Status  (up- time)  is  not  reported.  Instead,  the  site  is  assumed  on 
alert  unless  specifically  reported  off  alert  (SAC  Regulation  66-7,  para¬ 
graph  4a).  This  leads  to  erroneous  "up"  time  data;  e.g.,  Walker  I  was 
assumed  "on  alert"  for  some  time  because  no  one  reported  it  off  alert. 

The  data  files  were  eventually  corrected  in  this  case.  In  October  19^3, 
the  P  Series  data  for  June  and  July  had  -to  be  corrected  "because  two  weeks 
data  from  one  squadron  was  received  three  months  late  (it  had  been  assumed 
that  the  facility  was  on  alert  since  it  hadn't  been  reported  otherwise). 
Solution:  Go  closed  loop  by  having  the  site  report  the  "Total  Clock 
Hours  on  Alert"  in  columns  28  =  31  of  SAC  Form  127,  each  week.  This  will 
make  it  mandatory  for  each  site  to  report  the  on-off  status  each  week,  and 
eliminate  the  guess  work. 

.  There  is  no  clearly  defined  relationship  between  the  "status"  categories 
and  the  portion  of  the  system  being  tested.  Also  the  same  "status"  cate¬ 
gory  appears  to  be  used  for  both  a  partial  test  and  a  complete  test. 

.  Inconsistencies  have  been  frequently  noted  between  data  reported  on  the 
SAC  Form  127  (U-82)  and  the  U-86.  In  one  instance  the  U-86  reported  24 
countdowns  while  the  U-82  reported  4l  countdowns  for  the  same  time  period. 
Only  ten  of  these  countdowns  were  common  to  the  two  data  systems. 

.  SAC  Form  127  reports  have  had  frequent  occurrences  of  the  following  types 
of  errors. 

.  "Total  clock  hours  off  alert"  for  the  system  does  not  equal  the  sum 
of  the  individual  alert  degradation  times  (must  be  equal  by  defini¬ 
tion  of  alert  degradation  time). 

.  Time  gaps  exist  between  end  of  one  category  and  the  beginning  of  the 
next  category. 


138 


System  down  time  periods  overlap  each  other. 


.  System  is  returned  to  alert  without  accounting  for  all  of  the 
alert  time. 

.  Cards  submitted  — ith  incomplete  information. 

It  is  our  understanding  that  steps  are  currently  being  taken  by  SAC  to  mini¬ 
mize  these  errors  by  having  audits  made  at  different  reporting  levels  and  in 
greater  depth.  The  results  of  the  SAC  auditing  procedures  on  the  quality  of 
the  data  has  not  yet  been  determined.  (May  1964) 


139 


7.0  SP3CI7ICATI0I!  OF  P/O.UI3T3S  3S2I1^IC::  ILSEiODS 


7*1  Point  of  Vie;/ 


There  are  tvo  fundamental  difficulties  associated  vihk  field  data-  xith  uhich 
all  practical  methods  of  parameter  estimation  must  sue cos sillily  cope:  (l) 
the  data  usually  arises  from  fortuitous  system  exercise  as  opposed  to  the 
careful  planning  associated  vith  controlled  experiments,  and  (2)  the  judg¬ 
ments  made  regarding  the  true  state  of  the  equipment  are  not  necessarily 
complete,  accurate,  or  timely. 

The  first  difficulty  is  frequently  a  virtue  in  disguise;  the  irregularity 
of  the  schedule  of  system  exercises  may  be  utilized  to  obtain  a  separation 
of  the  time  dependent  system  parameters  from  thoso  vhich  are  time  invariant. 
Indeed,  a  variation  in  the  time  between  exercises  is  absolutely  essential, 
although  a  planned  variation  mould  yield  better  parameter  estimates  xith  less 


data. 


The  second  difficulty  is  surmountable  only  in  a  limited  sense.  Lack  of  test 
coverage  may  he  compensated  for  by  means  of  a  tear  doxn  failure  analysis 
program. 

Mistaken  judgments  may  be  explicitly  accounted  for  and  estimated  in  a  manner 
to  be  illustrated  later.  Lack  of  system  exercise  nay  be  circumvented  by 
recycle  of  field  equipment  to  a.  bhsc  depot  for  special  test  on  a  scheduled 


On  the  other  hand,  failure  to  renort,  ei-roneous  entries,  inconsistent  inter¬ 
pretations  of  events,  and  misinterpretation  cf  codes,  procedures,  ct  r.].;  re- 
cuire  direct  action. 


In  the  light  of  the  above  comments,  the  basis  of  the  parameter  estimation 
methods  to  be  developed  here  may  be  surriariscd  as  folloxs. 


140 


a.  checuouv.  passes  or  rejects  c.n  rue:  c:„  csaipvicnc;  a  reu  ecncn  is  ncu 
necessarily'  a  failure ,  nor  does  a  pass  necessarily  guarantee  a  ncn- 
faiied  system. 

test  coverage  is  incomplete. 

failures  are  not  necessarily  observable  at  the  instant  of  occurrence. 


7.2  techniques  of  fararcter  hstiiiation  from.  'field  Data  on  Periodically 
Chocked  Systems 

7.2.1  Introduction 

— —  —  ■  ■  ■  ■-  •  <u 

Equipment  operation  for  5!p or iocl i c ally :  1  chochod  systems  is  characterised  'ey 
tine  vai'-iable  nodes  of  operation  defined  by  the  system.  Maintenance  policy. 
In  general,  equipment  stress  levels  an.d  fa.ilv.rc  distributions  tend  to  differ 
betreen  nodes  of  operation. 

Chech'out  survivc.1  probabilities  are  ordinarily  cost  considered  rithout 
specific  regard  for  cbcchout  duration  since  ecpiip:  rent  tests  undoubtedly  dpi 
a.  nirfcure  of  binomial  (event)  probabilities  and  tire  delayer  c'por.antinls. 

Cn  the  other  hand,  it  is  necessary  to  acsviie  (or  determine )  a  specific  dis¬ 
tribution  of  failures  for  the  standby  node  of  operation  in  order  to  be  able 
to  compute  the  ejected  tine  to  failure  in  tha.t  node  of  in cr. tie:..  ‘Zee re  r.r 
substantial  .grounds  for  selecting  the  cnponontial  failure  distribution  '..hen 
the  population  is  a.  heterogeneous  '.future,  as  is  likely  the  esse  in  cor  pie  ' 
c  c  11 x]  y.  .10 11  c  • 


Hie  specie ic  techniques  of  parameter  csti'r.tion  aeveiopcd  here  range  on  the 
variability  of  system  sr.intcna.nce  policies / p roc: e dure s .  fine  variable  syste; : 

jparated  from  time  invariant  oysten -parameters  by  rtilini 


the  results  of  chcchouts  oerf on  :ed  subseouent  so  standby  durations  of 


■ u 


length,  ike  results  of  a.  sequence  of  ba.ch  to  bach  chcchouts  performed  vitho 
regard  for  the  results  of  the  earlier  chcchouts  yields  inf or. ration  cf  use  in 
separating  certain  time  invariant  system  parameters.  In  the  foiio-.rlng,  the 

•USlBlif  iwtlunque  -is-  illustrated. 


141 


7.2.2  Time  Line  Sequence  of  the  Basic  Periodic  Maintenance  Policy 


Figure  8  illustrates  a  typical  sequence  of  information  as  described  by 
field  data.  The  equipment  is  assigned  to  standby  for  a  time  duration  Tg 
(which  may  vary  widely  between  successive  assignments ),  ax  the  end  of  which 
it  enters  checkout.  During  the  checkout  the  equipment  is  ’'tested"  and 
passed  or  rejected.  The  set  up,  warmup,  and  test  performance  take  a  time 

1  if  the  system  is  "no-go".  These 


system  is  "go1 


onu  a  time 


times  are  not  necessarily  equal  nor  constant  from  test  to  test.  Demating, 
cleanup,  etc.,  take  a  time  T  for  a  "go"  test.  This  time  may  also  be 
variable  from  test,  to  test.  A  "no-go"  leads  to  a  repair  time  Tr  which  is 
defined  as  commencing  at  the  first  "no-go"  indication  and  continuing  until 
all  necessary  repairs  and  rechecks  are  completed. 


7.2.3  The  Concept  of  a  Test 

Tire  point  of  view  adopted  here  requires  that  the  nature  of  a  test  be  care¬ 
fully  delineated.  Specifically,  the  test  will  have  four  basic  properties, 
first,  it  will  "pass"  or  "reject"  an  equipment  at  a  specific  point  in  tine. 
That  is,  it  is  assumed  that  the  test  decision  occurs  at  a  well  defined 
point  in  time.  Second,  it  •'.rill  on  occasion  "false  alarm"  a  nonfailed 
characteristic  of  the  equipment;  i.e.,  it  will  call  a  good  system  bad. 

Third,  the  test  will  sometimes  pass  o  failed  characteristic.  That  is,  it 
will  not  al-rays  reject  a  failure  which  it  presumably  is  designed  to  detect. 

A  test  which  does  this  too  frequently  is  one  of  poor  "quality".  The  quality 
of  a  test  we  shall  define  as  the  probability  of  detecting  a  failed  system, 
given  that  the  system  is  failed  on  or  before  the  time  that  the  point  of  test 
decision  is  reached.  The  fourth  and  last  property  of  a  test  is  "coverage". 

3y  coverage  we  shall  mean  that  not  all  the  possible  equipment  functional 
characteristics  are  examined  by  the  test.  It  is  assumed  that  the  failure 
of  such  a  characteristic  cannot  cause  the  test  to  reject  the  equipment,  since 
its  effect  on  the  equipment  is  indeterminate  from  the  test.  However,  we 
shall  further  assume  that  all  equipments  which  have  failed  in  this  manner 
will  be  eventually  rejected  by  either  a  false  alarm  or  by  the  detection  of 
a  failure  of  an  observed  characteristic  of  the  equipment. 


142 


These  concepts  may  be  readily  formalized  as  follows.  Assume  that  at  the 
point  of  test  decision  the  test  acts  instantaneously  to  partition  failed 
equipments  from  ncnfailed  equipments  as  indicated  by  the  partition  of 
Figure  15.  Consider  the  action  of  the  test  at  this  point  in  time  on  a  total 
of  II  =  +  II g  +  II ^  +  +  Nj-  +  Ng  equipments  all  of  one  kind.  (Alternatively, 

one  equipment  may  be  tested  N  times  in  succession  and  may  be  either  good 
or  bad  at  each  test. )  Let  1T^  +  he  the  true  number  of  nonfailed  equip¬ 
ments.  Let  II ^  +  II ^  equipments  have  one  or  more  failures  which  are  inherently 
detectable;  that  is,  they  contain  failures  among  the  essential  character¬ 
istics  vhich  are  a:smined  by  the  test,  but  they  will  not  necessarily  all  be 
detected  because  of  "noise"  or  because  some  of  the  failures  may  be  marginal. 

In  addition  let  there  be  II ^  +  Kg  equipments  which  contain  no  failures  among 
the  characteristics  which  the  test  e:camines,  but  which  do  contain  one  or  more 
failures  among  the  characteristics  which  are  not  examined.  V/e  may  now  make 
the  following  definitions  if  the  total  number  of  equipments  being  examined  is 
very  large 


p[°!tk  +  Tox]  i 


t,. 


V 

:  ± 

i=l 

V 

V-k 

6 

y 

L 

iyi 

i=l 

V 

Hr 

O 

b 


i=l 


=  probability  of  no  failures  of 
any'  kind  at  t  =  t.  +  T  . 

"  C1 


=  probability  of  one  or  more 
failures  of  the  "detectable 
in  principle”  type  at  t  = 


probability  of  one  or  more 

failures  that  are  "inherently 

undetectable"  at  t  =  t.  +  T  . 

k  c. 


143 


144 


These  partitions  of  the  true  facts  concerning  the  states  of  the  equipments 
at  the  instant  of  test  decision  are  shorn  in  the  left  hand  cores  of  Figure  15. 
The  right  hand  cores  of  Figure  15  sho”  the  partition  of  the  equipments  uhich 
result  as  a  consequence  of  test  decisions.  If  a  is  the  probability  of 
calling  any  nonfailecl  characteristic  'cad,  given  that  it  is  examined  by  the 
test,  then  re  nay  rrite 


false  alarm  probability 


ana 


T! 


•6 


I’cr  + 

5  ti 


false  alarm  probability 


There  is  no  physical  reason  to  presume  that  a  ^  a' ,  hence,  re  shall  i/rite 
vithout  further  .justification 


We  further  define  a  parameter  p 


1  -  p 


probability  of  catching  an 
"inherently  detectable"  failure. 


ITotice  that  the  question  of  test  coverage  has  been  accounted  for  in  the 
above  by  introducing  the  notion  of  an  "inherently  undetectable  failure." 


7.2.4  The  Probability  of  Passing  a  Test 

We  are  nor’  in  a  position  to  rigorously  define  the  probability  of  passing  a 
test.  Let, 

=  The  probability  that  the  inherently  detectable  equipment  character- 

g  istics  are  good  at  the  beginning  of  the  standby  period. 

=  The  probability  that  the  inlierently  detectable  equipment  character- 

s  istics  survive  the  standby  period;  given  that  they  were  unfailed 

at  the  time  of  assignment  to  standby. 


145 


The  probability  that  the  inherently  detectable  equipment  character¬ 
istics  survive  checkout  up  to  the  point  of  test  decision;  Given 
that  they  are  nonfailed  at  entrance  to  checkout. 

The  probability  that  the  inherently  undetectable  equipment  character¬ 
istics  are  good  at  the  beginning  of  the  standby  period. 


P  =  The  probability  that  the  inherently  undetectable  equipment  character- 
us  istics  survive  the  standby  period;  given  that  they  were  nonfailed 
at  the  time  of  assignment  to  standby. 


The  probability  that  the  inherently  undetectable  equipment  character¬ 
istics  survive  checkout  up  to  the  point  of  test  decision;  given 
that  they  were  nonfailed  at  entrance  to  checkout. 


The  probability  that  the  equipment  will  be  nonfadled  at  'the  point  of  test 
decision  is, 


(87) 


The  probability  that  the  equipment  will  be  failed  undetectably  at  the  point 
of  test  decision  is, 


(1  -  P 


UG 


P 

u 

s 


(GO) 


The  proability  that  the  equipment  id.  11  be  failed  detectably  at  the  point  of 
test  decision  is. 


(09) 


The  probability  of  passing  the  test  P[Pj  is,  in  general, 

P[P]  =  (probability  of  being  good  at  point  of  test  decision)  x 
(probability  of  no  false  alarm)  +  (probability  of  being 
failed  undetectably  at  thc-point  of  test  decision)  x 
(probability  of  no  false  alarm)  +  (probability  of  being 
failed  detectably  at  the  point  of  test  decision)  x 
(probability  of  not  catching  the  inherently  detectable 
failure) 


146 


147 


f.2.6  Use  of  Variable  Standby  Duration  as  a  Means  of  Variable  Separation 


Hie  probabilities  of  Equation  (90)  nay  be  separated  if  control  can  be  ex¬ 
erted  over  some  factor  upon  which,  the  probabilities  are  dependent.  A 
likely  candidate  is  the  duration  of  standby.  If  the  failure  distribution 
in  standby  is  e::ponential,  then 


(93) 


and  if  T  is  variable,  then  Xfl  may  be  estimated.  For  example,  suppose 
s  us 

that  the  field  date  can  be  subdivided  into  three  groups  for  each  of  which 

T  is  constant  but  unequal  between  groups.  Specifically,  if  the  various 
s 

values  of  Tg  are  T,  2T,  and  3T,  and  if  there  are  M^,  Mg,  and  XL 
reports  in  each  Group,  then; 


~\lT 

+  e  S  Pd  Pd  (1  -  a  -  p) 
Si  C1 


-X,  2T 

s?  d 

iT  =  5  +  e  Pd  Pd  ^  “  -  V 

2  g2  cL 


-Xd3T 


IX 


=  +  e 


Pd  Pd  (1  "  G' 

s3  C1 


-  !3) 


(SA) 


(95) 

(96) 


where  s^ ,  Sg,  and  s^  are  the  number  of  successful  tests  in  each  group  and 

where  Pd  =  Pd  =  P^  if  there  is  no  regularity  in  the  succession 

G^ 

of  T,  2T,  and  3^  on  any  given  equipment.  Equations  {9b),  (95);  and  (96) 
may  be  readily  combined  to  give; 


148 


1 


(97) 


Thus,  three  different  values  of  Tn  in  the  ratios  1,  2,  3  allows  a  unique 

separation  of  the  standby  failure  rate  and  the  Type  II  statistical  error  of 

the  test  and  a  certain  composite  parameter.  Ho  further  separation  can  be 

achieved  by  variation  of  the  standby  duration.  The  method  just  considered 

is,  of  course,  hopelessly  optimistic.  It  is  too  much  to  e;pect  the  nice 

neat  ratios  T,  2T,  and  3T  for  Ts»  The  method  must  be  generalized.  This 

can  be  done.  Let  IT.  be  the  number  of  test  failures  out  of  M.  attempts 

i  i 

where  T  =  T . .  Then  it  is  reasonable  to  search  for  a  value  of 

si  d 

g 

which  will  minimize 


o 

4 


149 


G 


13  r«7>  1 


■3)}  !2  (ioi) 


That  is,  we  seek  that  value  of  h.  which,  minimizes  the  sum  of  the  squares 

cj 

of  the  differences  between  the  observed  number  of  test  failures  and  the  pre¬ 
dicted  number  of  test  failures. 


The  mathematical  problem  is  to  minimize  the  function  G,  regarded  as  a 

function  of  1.  ,  and  the  composite  parameter  P,  P  (l  -  a  -  3) 

,  .  ..  as,  .  ,  c,  g 

suo.ject  ‘co  one  constraints  1 


0  < 


1 


0 


< 


(1 


Cl 


3)  <  l 


o 


(102) 


A  specific  satisfactory  approach  to  the  solution  of  this  problem  is  to  keep 

the  partial  derivatives  of  G  equal  to  zero  and  test  the  function  values 

of  G  for  a  minimum  vhile  increasing  from  zero.  It  should  be  noted 

s 

however,  that  at  least  three  different  values  of  the  lb  are  required, 
but  they  nay  be  in  any  ratio  one  to  another. 


7.2.Y  use  of  Pack  to  3acl;  Checkouts  in  Effecting  Separation  of  the  Variables 

Additional  separation  of  the  system  parameters  may  be  accomplished  if  a 
sequence  of  back  to  bad:  checkouts  is  performed  without  regard  for  the  in¬ 
termediate  test  results.  Consider,  for  example,  the  situation  depicted  in 
Figure  16. 


1 


T 


C1  °2  ^ 


T. - 


t  - * 


FIGURE  16.  A  SEQUENCE  OF  TWO-BACK-TO-BACK  CHECKOUTS 
OUT  OF  STANDBY  WITHOUT  REGARD  FOR  THE 
FIRST  TEST  RESULTS 


The  probability  of  passing  the  first  checkout  is  given  by; 


(103) 


If  the  test  results  of  this  checkout  are  ignored  (but  noted)  and  the  equip¬ 
ment  is  immediately  retested,  the  probability  of  passing  the  second  checkout 
is  given  by; 


(i  -  «  -  ;) 


(104) 


If  ve  now  utilize  the  estimate  of  p  obtained  from  Equation  (99);  then  ve 
have.  Step  4  . 


(105) 


It  should  be  carefully  noted  that  Tc  and 
necessary  preliminary  physical  fact  ^  of 


P.  are  assumed  to  be  a 
d 

Q 

2  retest. 


151 


r.o\:  consider  Figure  17  which  illustrates  the  situation  of  three  cliechoutr. 


t - ►  12  3 


FIGURE  17.  A  SEQUENCE  OF  THREE  CHECKOUTS  BACK-TO-BACK 
WITHOUT  REGARD  FOR  THE  INTERMEDIATE  TEST 
RESULTS 


The  probability  of  passing  the  first  test  is  given  by 


(106) 


The  probability  of  passing  the  second  test  is  given  by. 


v 


152 


V 


The  probability  of  pas cine  the  third  test  is  given  oy; 


’i  ’  3  +  pa  pa  -a  3  *4  *<*-«-» 

G  s  =1  =2 


(103) 


Hie  probability  of  pass ins  the  first  test  and  failing  the  second  test  is 
Given  by; 


f.  *  <l  -  »  *\  pa  a-c.--,,)1 

'■*  r»  /”» 

*  *  W  '"'i 


-  rcl  Pd  Pd  ^  Pd  (1  -  c)  (1  -  a'  -  ,3) 
G  s  ^  c2 


(109) 


where  Ii  is  the  number  of  such  successive  atteirpts  and  K  is  the  number 
which  pass  the  first  and  fail  the  second  atteupt .  Combining  Equations  CIO's), 
(107),  and  (108)  we  have  Stop  9. 


y  -  Pd  *d 

C1  C2 


=  P. 


_2 

M 


_0 

M 


_1 

U 


(110) 


2. 

M 


and  an  alternative  to  Sten  2. 


ii  = 


s,  s„  s_  S 

U  II  ^  II' 

S1  S2  s3 

—  _  2  —  +  ~ 

i;  u  ii 


(m) 


153 


I 


and  an  alternative  to  Step  3« 


=  [P,  P,  P.  (1  -  o?  -  3)] 

dad  x  1  ' ' 

S  s  c 


(li  -  ^)2 

\  II  IV 

31  s2  s3 

Ti  "  2  Ti  +  T: 


(112) 


Combining  these  estimates  with  Equation  (109)  yields  an  estimate  of  a, 


p  -  (1  -  3)  (3  +  x) 
a  =  1  +  - - - - 


(113) 


Also  note  that, 


[P.  P,  P,  1 
a  d  d  J  = 


(114) 


1  -  a:  -  3 


If  the  three  checkouts  are  conducted  immediately  following  repair  then 

P^  P^.  is  replaced  with  (y,^  +  u0)  so  that 
g  '  s  ^ 


X - >  [(^  'r  Uo)  Pd  (1  -  a-  -  3)] 

C1 


(115) 


r  1 

!p.  p,  p,  ' 

_  d  d  d  _ 

rr  <7  r» 

*’  ci 


T  (u,  +  P,  P,  ^ 

X  3  CL  a 

s  c1 


(115) 


If  vc  r.idie  the  assur lotion  that 


P,  =  r  P, 
a  d 

c^  c 


(117) 


there  r  has  c. 


•  -'-no’Tn  or  assumed  value,  then  Step  7» 


or 


(118) 


(119) 


7.2.8  The  Role  of  Failure  Analysis 

Evaluation  of  P  P  and  X  requires  a  limited  amount  of  "complete 
J  s  c 

failure  analysis’"'  of  field  rejected  items.  This  must  "be  accomplished  in 
conjunction  with  examination  of  the  procedures  used  to  accomplish  field 
testing.  By  "complete  failure  analysis"  it  is  meant  that  field  rejected 
items  are  to  he  examined  for  every  functional  characteristic  that  is  con¬ 
sidered  to  he  essential  for  proper  operation  of  the  equipment.  Ir.  general, 
of  course,  one  or  nore  of  the  examined  characteristics  will  indeed  he 
failed.  To  determine  whether  any  given  failed  characteristic  falls  in  the 
"inherently  undetectable"  category  it  is  necessary  to  answer  a  specific 
question:  If  this  characteristic  failed  in  the  field,  would  field  testing 
discover  the  failure?  A  negative  answer  implies  that  the  failure  is  in¬ 
herently  undetectable  in  the  field. 

To  quantify  test  coverage,  which  is  a  function  of  p,-,*  X^  and  P^  Pu 

SC 

two  items  of  information  are  required: 

.  The  number  of  raaintenance  cycles  from  previous  replacenent/repair  to 
the  current  rejection. 

.  Failure  analysis  of  the  rejected  item  to  determine  the  e::istence  or 
non-existence  of  inherently  undetectable  failures .  (Multiple  failures 
of  this  type  in  a  rejected  item  are  counted  as  a  single  failure). 


155 


I 


The  specific  data  to  be  collected  is  as  follows. 

.  rThe  number  (ll)  of  items  rejected  from  the  field  on  the  kth  checkout 
subsequent  to  repair. 

.  -The  number  (r)  of  the  II  rejected  items  which  have  an  inherently  un¬ 
detectable  failure. 

In  general,  if  the  counts  for  the  kth  checkout  are  denoted  by  M  [k]  and 
r  [k]  and  'the  counts  for  the  jth  checkout  are  denoted  by  II[j]  and 
r  [j],  then; 


P  P 
u  u 
s  c 


r  M  [k]  -  r  [ll] 


M  [j] 


1 


M  [k]  II  [j]  -  r  [J] 


} 


(120) 


For  ewanole,  if  we  have  information  on  items  rejected  after  one  ( j=l)  and 
two  (l:=2)  maintenance  cycles,  then  we  have  Step  6. 


II  [2]  -  r.  [2]- 

M  [2] 


Ii  [11 


II  [1]  -  r  [l) 


(121) 


s  c 


(122) 


if  information  is  available  for  several  1:  and  j,  an  average  may  be  t alien 
of  the  Py  +  Pu  or  the  marimun  likelihood  value  for  the  entire  set  of  1: 

3  C 

may  be  used. 


A  conservative  (pessimistic)  estimate  of  the 
with  an  inherently  undetectable  failure  (p0 ) 
have.  Step  9* 


probability  of  leaving  repair 
is  also  readily  found.  We 


I 


156 


i 

I 


i 


1 


B 


f 


*  •  r  i  _  ■;  r-,  _  "1  .  z\  » 

it  cs*  J~  l-~~'  / r p  n  "l\  1"  -  1  2 

!-l3  _  irun  i'-pu  u  j  ~ 2> 


etc. 


(123) 


Tne  estimate  of  the  probability  leaving  repair  is  now  obtained  from  Ste^ 


Pi  =  C (y-2.  ''r  *J‘- 


(124) 


7.2.9  Estimation  of  1 

Actual  launch  attempts  are  not  likely  'to  be  initiated  from  operational  siteB 
for  a  variety  of  reasons.  Therefore,  a  secondary  source  of  data  must  be 
used.  Simulated  countdowns  in  the  field  may  be  used  as  this  source,  the 
data  being  processed  in  accordance  with  Step  5  of  the  previous  section. 

However,  it  must  be  recognized  that  the  estimate  obtained  in  this  way  must 
be  corrected  by  data  on  pyrotechnics  and  the  engines. 


7-2.1°  Estimation  of  P  [t/L] 

Tie  probability  of  completing  a  launch  in  time  t  or  less;  given  that  it 
is  completed  successfully  may  be  determined  directly  from  field  data. 

Order  the  i-i  observed  durations  t.  of  successful  attempts  in  increasing 
order, 

L1  L2  L3  Hi 

Associate  with  each  t^  an  empirical  probability  number  •  Plot 

the  number  pairs  1 


iilkl  \ 
;:-:-i  j 


on  ary  convenient  type  of  graph  paper.  This  plot  is  the  empirical  proba¬ 
bility  that  a  successful  launch  attempt  will  take  a  tine  t  or  greater 


I 


157 


to  complete.  One  minus  the  plot  is  the  empirical  probability  that  it  ■..’ill 
tal:c  a  tine  t  or  less  to  complete  a  launch;  given  that  it  is  completed 
successful  ly. 


7.3  Summary  of  Estimates  in  Terms  of  Test  Methodology 

Table  III  summarizes  the  conditions  of  test  and  the  parameters  which  may  be 
estimated  from  the  tests.  It  should  be  noted  that  there  is  a  considerable 
degree  of  useful  overlap  between  the  various  tests.  It  should  also  be  noted 
that  P^  and  are  not  separable  by  any  of  the  test  methodologies 

C1  C2 
considered. 


158 


•< 


159 


auame 


t 


8.0  i&tfxE.  aClICISS 
o.l  numerical  jh/aluation 

It  is  assumed  that  those  steps  upon  uM  eh  -.re  have  touched  only 
through  7.0)  have  been  successfully  completed.  \!c  are  at  this 
possession  of  estimates  of  all  system  parameters  and  are  ready 
the  model. 


briefly  (1.0 
point  in 
to  exercise 


8.1.1  List  of  Parameter  Values 


It  is  assumed  that  tasks  1.0  through  7*0  have  been  accomplished  uith  the 
results  listed  in  Table  IV.  These  are  initial  best  estimates  for  the  system. 


8.1.2  availability 

3.1. 2.1  Steady  State  Values 


Table  V  lists  the  results  of  the  availability  model  exercise  by  subsystem 
(and  by  system)  for  the  initial  best  estimates  tabulated  in  Table  IV.  It 
should  be  noted  that  the  true  availability  is  considerably  less  than  the 
apparent  availability.  The  availability  vector,  based  on  the  true  availubilit 
is  given  by; 


A.H  = 


-O 


5  :c  2.0 
1.39  x  10' 


1 


-4 

1 

1.59  ::  10" 3 
1.052  x  iO"2 
4.49  x  10"2 
.1278 
.242 
.296 
.210 
.067 


(1.25) 


160 


COUNTDOWN 


FLIGHT 


TABLE  Y.  AVAILABILITY  OF  THE  SYSTEM  BY 
SUBSYSTEM,  et  al. 


Subsystem 

A  i[co] 

a  r=] 

U~ 

Ts  (days) 

TCT0 

0.9  (84) 

0.984 

- 

G 

0.9  (78) 

0.978 

- 

B 

0.8  (50) 

0.991 

10 

A 

o.O  (ki) 

0.997 

364 

H 

0.7  (4o) 

0.771 

- 

<CDEF> 

0.5  (n) 

0.962 

30 

wC..»  v<iUO 


LVCil-LC.  J  i.'-.l  C 


0.2  (So) 


System  apparent  availability  A  [“]  =  0.7  ( 05 ) 

s 


8. 1.2. 2  Augmented  Availability 

numerical  integration  of  Equation  (32)  provides  a  curve  of  augmented 
apparent  availability  P  [t]. 

Ynen  this  curve  is  multiplied  by  the  factors  indicated  in  Equation  (34), 
the  true  agunented  availability  is  obtained.  These  two  curves  are  shown 
in  Figure  18.  It  will  be  noted  that  the  alert  status  is  not  markedly 
ir.rorovc-d  by  the  change  in  policy  (A^y0!  =  «26o  as  opposed  to 


!  na:: 

I  (t  =  1  day) 
I 


162 


(a')  \ 


i 

I 


163 


FIGURE  18.  AUGMENTED  AVAILABILITY 


r 


8.1.3  Countdown  Reliability 

We  shall  demonstrate  the  technique  of  countdown  reliability  prediction  for 
the  re-entry  vehicle  only.  All  other  subsystems  are  handled  in  an  analogous 
manner.  Referring  to  Figure  6  we  have; 


R(t)  .  e‘3-8  *  10'6t  {  O(t)  -  U(t-4)  (1  -  e'1’6  X  • 


£  i  ( 4-  )i 


NU(t)  -  U(t-6)  (1  -  e15  ::  10  (t~^) 


(12b) 


x^U(t)  -  U(t-6.5)  (1  -  e-10 

x|U(t)  -  U(t-T*5)  (1  -  e"20  ::  10  (t-T-5))2j 

Where  t  is  in  seconds. 

From  the  weapon  system  summary,  the  density  distribution  of  the  duration  of 
countdown  is  given  by. 


p(tCD)  =  L  e“L(t“9)  U(t-9) 


—  =  twenty  minutes 


(127) 


164 


0-9(53) 


(128) 


Then, 

R(tCD}  =  JQ  P^tCD)  R(tCD}  d  ^CD  = 

Similarly,  under  the  assumption  that  checkout  failure  rates  hold  for  count¬ 
down,  we  have  the  results  shown  in  Table  VI.  The  figures  shown  are  best 
estimates.  The  last  two  digits  are  not  considered  to  be  significant  but 

are  retained  to  reduce  round  off  errors  in  calculating  the  net  countdown 

reliability.  Assuming  subsystem  independence; 

H 

PCDl“]  -  1!  O  -  0.9(44)  (129) 

i=A 


TABLE  VI.  SUMMARY  OF  COUNTDOWN  RELIABILITY 
PREDICTION  BY  SUBSYSTEM 


Subsystem 

Designator 

A 

B 

C 

D 

E 

F 

G 

H 


Subsystem  Countdown  Reliability  (R^1) 
0.95(300) 

0.99(720) 

0.99(720) 

0.99(935) 

1.00(0000)" 

0.99(975) 

0.99(975) 

0.99(720) 


8.1.’:  Flight  Reliability 

As  a  result  of  ground  tests  conducted  under  flight  similar  conditions  of 
vibration  and  temperature,  it  is  estimated  that  the  flight  stresses  exceed 


165 


normal  checkout  stresses  by  a  factor  of  three,  except  for  structure  and  pro¬ 
pulsion  which  are  markedly  greater.  Performing  calculations  similar  to  those 
illustrated  for  the  re-entry  vehicle  in  countdown  we  have  the  results  tabu¬ 
lated  in  Table  VII.  Assuming  subsystem  independence, 

E 

pf  =  IT  Rf1  =  0.7  (84)  (130) 

i=a 

TABLE  VII.  SUMMARY  OF  FLIGHT  RELIABILITY 
PREDICTION  BY  SUBSYSTEM 


Subsystem 

Designator 

Subsystem  Flight. 
Reliability  (P  ) 

A 

0.9  (20) 

B 

0.9  (52) 

C 

0.9  (71) 

D 

0.9  (89) 

s 

0.9  (32) 

£.1.5  Dependability  Matrix 

The  components  of  the  dependability  matrix  are  given  by, 


djj  =  a10"J  (1-B)J_1;  1  =  X,  2,  ....  10  J  >  1  <  10 

aii  -  0  J  J  < 1 

where  for  the  specified  reaction  time  of  two  and  one  half  hours  we  have; 


(131) 


R  ~  PCDM  Pf  =  0.9  (44)  x-G.J  (84) 
=  0.7  (4o) 


(132) 


166 


t 


For  shorter  time  periods  and  permitting  only  one  co-jntdown  attempt, 

.  (t-9) 

R(t)  =  0.7^0  (1  -  e  30  )  u[t-9l  (135) 

Riis  function  is  plotted  in  Figure  19a. 


If  two  countdown  attempts  are  permitted,  and  if  the  site  survives  enemy 
counter  measures,  then  the  probability  of  launch  is  given  by, 

r  ,  f  ,  ,  -3.l8(r  -.15)  -.125(t  -.15)  l 

pl[tc]  =0.524-  .234  e  c  -.290  e 


-.125(t  -.3)  -3.18(t  -.3) 

.  x  U[t  -.15]  +  .  0.434  -  .453  e  c  -  .131  e  c 


+  .189  e 


-3(t  -.3) 


-  .030(tc-.3)  e 


-3-18(t  -.3) 


u[V.j] 


TKis'  function  is  plotted  in  Figure  19b. 


It  should  be  carefully  noted  that  it  has  been  necessary  to  combine  countdown 
with  the  readiness  vector  in  order  to  perform  this  computation.  Since  this 
violates  the  original  intent  of  this  memorandum.  Equation  (154)  uiil  not  be 
used. 


167 


FIGURE  19a.  LAUNCH  RELIABILITY  WHEN  ONLY  ONE  ATTEMPT  IS  PERMITTED 


t 


r-i'i 


169 


FIGURE  19b.  LAUNCH  PROBABILITY  WHEN  TWO  ATTEMPTS 
(WITH  REPAIR  OF  ABORTS)  IS  PERMITTED 


170 


8.1.6  Capability 


The  best  estimate  of  the  standard  deviation  of  miss  distance  is  one  mile. 
She  lethal  radius  for  the  targets  under  consideration  is  also  one  mile, 
and  a  unity  dc.i-.1a5e  function  is  considered  to  be  a  reasonable  appro::imatior 
to  the  weapon  effects.  Therefore,  the  per  unit  probability  of  kill  is. 


P,_  =  1  -  e 


-d-W 


(136) 


=  1  -  e 


"*5  =  0.  Sa¬ 


lience,  the  capability  vector  is  from  Equation  (78) 


C  = 


2.33^0 

2.1o90 

2.0205 

1.8263 

1.6043 

1.3522 

1.0679 

0.7492 

o.3?4o 

0.0000 


(137) 


8.1.7  Ejected  Kill  (E) 

Tlie  eirpected  kill  is  given  by, 

Z  =  A’  [Dj  C  (133) 

where  A  is  defined  by  Equation  (125),  [D]  is  defined  by  Equation  (135) 

and  C  is  defined  by  (137).  Performing  the  indicated  multiplication, 

E  =  0.oS2  (139) 


171 


There  is,  therefore,  less  than  a  fifty-fifty  chance  of  destroying  one  of  the 
three  targets  on  which  the  squadron  of  nine  ICBM's  is  targeted. 


172 


I 


in.  APPLICACTOi:  OF  MODS!  results 

1.0  COilVillACEVS  SYSTSXS  AiALYSIS 

1 . 1  Comparison  of  host  Sstt~..iate  with  S.O.R. 

Table  VIII  lists  OilC  5  j  0  wCitl  03  CILl^C  GO  3  obtained  Iron  the  model.  Idle  IX 
gives  the  apportionment  of  readiness  and  reliability  from  the  S.O.R. 

1  #  2  **  A-V\  1  ■?  j[  I  j.*y",r 


Table  X  lists  the  flight  reliability  of  the  subsystems  in  order  of  increasing 
reliability. 

1 . 3  Countdown  he liability  Ranked  by  Subsystem 

Table  XI  lists  the  countdown  reliability  of  the  subsystems  in  order  of  in¬ 
creasing  reliability. 


1 .  X  Availability  Ranked  by  Subsystem 

Table  V  lists  the  availability  of  the  sub  systems  in  increasing  order. 


TABLE  Vin.  SOR  REQUIREMENTS  AND  MODEL  OUTPUTS 


Par  cone  ter 

SOR  Requirements 

Model 

Output 

Min.  Accept. 

Ob,).  Value 

3 

0.5 

0.9 

0.260 

PCD 

0.3 

0.95 

0.9  (44) 

Pf 

0.7 

0.9 

0.7  (84) 

Pk 

0.8 

i  - 

0.9 

0.394 

3 


TABLE  IX.  SUBSYSTEM  APPORTIONMENT  AGAINST  SOR 


Parameter 

SOR 

Equal 

Partition 

j '.vaila 

Min. 

i 

•  5 

0.9259 

(9  subsystems) 

Obj. 

•9 

0.9884 

Countdown 

Reliability 

Min. 

.8 

0.9657 

(9  subsystems) 

Obj. 

•  95 

0.9943 

Flight 

Reliability 

Min. 

,7 

0.9312 

(5  subsystems) 

Obj. 

•  9 

0.9791 

TABLE  X.  FLIGHT  RELIABILITY  BY  SUBSYSTEM 


Subsystem 

Pf1 

Re-entry  Vehicle 

0.9(20) 

Structure 

0.9(32) 

Guidance 

0.9(52) 

Autopilot 

0.9(71) 

Propulsion 

0.9(89) 

J. 


174 


TABLE  XI.  COUNTDOWN  RELIABILITY 
BY  SUBSYSTEM 


Subsystem 

P  ~ 

rCD 

Re-entry  Vehicle 

0.95(300) 

Guidance 

0.99(720) 

Autopilot 

0.99(720) 

Power  generation  and 
distribution 

| 

0.99(720) 

Propulsion 

0.99(935) 

Air  conditioning 

0.99(975) 

Overhead  door 

0.99(975) 

Structure 

1.0000“ 

2.0  Parameter  Variation  Study  on  Availability 

Examination  of  the  availability  vector.  Equation  (125),  the  capability 
vector  (137)  and.  Tables  VIII,  IX,  X,  and  XI  leads  to  the  conclusion  that 
system  availability  and  per  unit  probability  of  kill  are  week  as  compared 
to  system  reliability.  Accordingly,  we  institute  a  parameter  variation 
analysis  of  these  two  factors  in  order  to  assess  the  potential  for  system 
improvement .  We  shall  only  perform  a  lira! ted  investigation  here,  stressing 
the  importance  of  the  proper  checkout  periodicity  for  availability  and  the 
effect  of  guidance  accuracy  on  unit  kill  probability. 

2.1  Subsystem  Availability 

2.1.1  Subsystem  A 

figure  20  illustrates  how  the  availability  of  the  re-entry  vehicle  varies  as 
a  function  of  the  replacement  cycle  length  t\  A  substantial  gain  in 


175 


120 


160 


200 


T*  (DAYS) 

TY  OF  RE-ENTRY  VEHICLE  AS  A 
F  THE  REPLACEMENT  INTERVAL 


6 


availability  can  be  achieved  by  recycle  or  the  re-entry  vehicle  every  forty 
to  fifty  days  as  opposed  to  the  planned  recycle  of  one  year. 

2.1.2  Subsystem  B 

Figure  21  illustrates  the  variation  of  guidance  availability  as  a  function 

T> 

ef  standby  status  duration  T  fne  optimum  standby  interval  is  of  the 

o 

order  of  2.5  to  2*0  days  as  opposed  to  the  planned  duration  of  ten  days. 

2.1.3  Subsystems  CDS? 

Figures  22  through  26  illustrate  the  potential  increase  in  availability 
of  Subsystems  C,  D,  E,  and  F.  It  is  clear  that  Subsystem  C  and  D  should 
not  be  checked  as  infrequently  ay  thirty  days.  Specifically,  we  have  the 
folio: ring  optimum  standby  periods  for  marinum  availability. 

TABLE  XII.  OPTIMUM  STANDBY  DURATION  FOR 
SUBSYSTEMS  C,  D,  E,  F 


Subsystem 

(*.) 

Alert  Duration 
(in  days) 

A1  M 
Availability 

C 

3 

& 

00 

D  ! 

3-5 

.882 

E 

30 

.982 

F 

10 

.982 

Subsystem  G  requires  little  or  no  improvement . 


177 


» 


178 


Ts°  (DAYS) 

FIGURE  21.  AVAILABILITY  OF  GUIDANCE  SYSTEM  AS  A 

FUNCTION  OF  THE  DURATION  OF  ALERT  STATUS 


ro 

po 

w 

Pi 

o 

o 

►-( 


t« 


182 


T$  (DAYS) 

25.  AVAILABILITY  OF  THE  OVRHEAD  DOOR  ASA 
FUNCTION  OF  THE  DURATION  OF  ALERT  STATUS 


V 


FIGURE  26.  COMPOSITE  AVAILABILITY  OF  SUBSYSTEMS  C 


2.1.5  Subsystem  II 

Table  XIII  illustrates  the  potential  gains  arising  from  various  chances  in 
the  poorer  generation  and  distribution.  Substantial  changes  in  false  alarm 
rate  (a),  detectable  failure  rate  ( ,  and  the  undetectable  failure  rate 
(a  }  will  be  required  to  achieve  the  apportionment  (equal  availability 
partition)  cited  in  Table  IX. 


1 


TABLE  XIH,  EFFECTS  OF  ALTERATIONS  ON 
SUBSYSTEM  H 


*  1 

Parameter  j 

A  1 

1  1 

Change 

r 

1 

Current  ! 
estimate 

Proposed 

change 

No  change 

- 

- 

0.71*) 

- 

l/X 

100 

CO 

0.765  j 

2.03 

l/a 

10 

00 

0.788  I 

6.49 

1 

9.09 

00 

0.814  j 

10.00 

Vv 

5 

50 

0.825 

11.50 

1/(®+\l+\l) 

7.69 

50 

0.981 

32.6 

*  Units  are  days  or  days  between  events. 


2.2  For  Unit  iX.M. 

Figure  27  illustrates  the  way  in  which  per  unit  kill  probability  varies 

with  the  ratio  (1L/ct).  To  achieve  the  minit-m  acco-.table  value  for 
is 

?,.(=. C),  1L  jo  must  increase  from  its  current  value  of  unity  to  !.•  .  To 

1j 

achieve  the  objective  value  (=.9),  A /a  must  increase  to  2.125. 


Figure  28  illustrates  the  effect  of  alternative  targeting  policies.  It 

.1. 

-.-i1!  bo  noted  that  it  currently  tahes  3'  missiles  to  achieve  the  empcctcd 
hill  that  accuses  to  a  fleet  for  "hieh  =  .0,  and  it  takes  five  missiles 
to  achieve  the  equivalent  effect  of  P,.  =  .9. 


184 


185 


NO.  OF  DELIVERED  WARHEADS  PER  OBJECTIVE 


FIGURE  28.  VARIATION  OF  EXPECTED  KILL  AS  A  FUNCTION 
OF  THE  NUMBER  OF  DELIVERED  WARHEADS 


186 


Pne  decision  to  be  made  hero  is  whether  it  is  less  costly 
or  to  double  the  guidance  accuracy. 


to  buy  '..’.ore  Missile 


3 . 0  Recalculation  of  E  Based  on  Potential  System  Imroveuents 

Table  XIV  summarizes  the  readiness  figures  which  can  accrue  from  revised 
checkout  periodicity. 


TABLE  XIV.  EFFECT  OF  REVISED  CHECKOUT  FREQUENCIES 
ON  SUBSYSTEM  AVAILABILITY 


Subsystem 

Ts 

(days) 

A1  M 

A 

60 

0.9475 

B 

3 

0.8924 

C 

3 

0.830 

D 

3-5 

0.882 

E 

30 

0.982 

F 

10 

0.982 

G 

- 

0.978 

H 

- 

0.981 

TCTO 

( combine 
with  U/M) 

1.00 

<CDEF> 

3-5 

.684 

187 


If  TCTO  work  is  combined,  with  unscheduled  maintenance  and/or  scheduled  check¬ 
out,  and  if  subsystem  <  CD2F  >  is  checked  out  every  five  days,  then 


A  M  =  0.555 
s 


(lo-C) 


If  all  subsystems  are  checked  independently  at  their  optimum  periodicity. 


A_  [»]  =  0.572 


(141) 


If  the  guidance  dispersion  is  cut  in  half  by  redesign,  etc.,  then 


=  O.865 


(142) 


which  exceeds  the  minimum  acceptable  SOR  value. 


Recalculation  of  E  based  upon  Equations  (l4o)  and  (14-2)  yields  the  results 
listed  in  Table  XV.  Further  improvement  can  be  obtained  by  targeting  more 
missiles  per  objective. 


188 


TABLE  XV.  EXPECTED  KILL  FOR  VARIOUS  SYSTEM  CHANGES 


Proposed  Alteration 


No  alteration 

Checkout  frequency  optimized 
Guidance  accuracy  improved 

Both  optimum  frequency  and  guidance  improvement 


o.  >; 


Development  of  an  algorithm  for  determination  of  the  optimum  policy  for 
weapon  system  improvement/deployment  is  beyond  the  scope  of  this  document, 
but  it  is  clear  that  schedules,  cost,  technical  feasibility  of  the  proposed 
changes  expected  weapon  system  life  and  a  host  of  other  factors  must  enter 
at  this  point  in  order  to  arrive  at  correct  management  decisions. 


APPENDIXES 


190 


APPENDIX  I 


of 

EXAMPLE  B 

Weapon  System  Capability;  Availability 
Models  and  Parameter  Estimation 


191 


Tiiis  append!::,  irhicli  is  a  paper  delivered  to  the  Aerospace  Reliability  and 
i  maintainability  Conference,  May  b-b,  19&3,  bashinytcn  D.C.,  describes  the 
analytical  techniques  i.irich  have  been  used  to  develop  the  models  for  availa- 
bilitv  yiven  in  the  body  of  this  renort. 


192 


WEAPON  SYSTEM  CAPABILITY  :  AVAILABILITY  MODELS 
AND  PARAMETER  ESTIMATION 

Alfred  J.  Monroe 
Section  Head  WSC  Group 
Space  Technology  Laboratories,  Inc. 

Redondo  Beach,  California 


Introduction 


Background 


The  design  nnd  development  of  weapon  systems 
h as  traditionally  crowded  the  "state  of  the  art" 
in  material*;,  dovi.ces,  and  physical  principles. 

In  recent  timeo,  designero  have  been  faced 
lAvifttiitancoualy  with  increnalngly  novel  demands 
*»hd  W**  limited  amounts  of  teot  date. 
WrtrfteWWMlW  V^i'>Lv^.tricnt8  almost  Invariably  include 
%‘aVYV*  nM  reGponse  time  limits  which 

cannot  be  Wit  v>ithc<ut  a  tight  integration  of  per¬ 
sonnel,  prOcYdurco >  and  hardware.  Furthermore, 
modem  weapon  systemo  nrc  rnpidly  becoming'one 
shot"  devices  providing  little  opportunity  for 
obtaining  operational  usage  data,  cither  in  kind 
or  in  quantity.  A  culmination  of  these  factors 
is  most  clearly  evident  in  the  current  ballistic 
missile  programs.  Not  only  have  economics  and  tJme 
schedules  frequently  combined  to  frustrate  the 
requirements  of  testing  and  evaluation  erf  the 
weapon  systems,  but  the  sheer  complexity  of  the 
systems  have  mitignted  against  effective  systems 
management.  Accordingly,  whnt  was  once  considered 
merely  desirable,  is  now  mnndatory--an  integrated 
methodology  for  venpon  oyotem  management  which  will 
both  pinpoint  problem  areas  and  which  will  provide 
a  miner  leal  measure  of  wenpon  cy3tcir.  adequacy  using 
the  bnrest  minimum  of  data.  The  subject  natter 
of  tills  paper  represents  nn  effort  to  contribute 
to  the  unraveling  of  this  problem  both  by  analy¬ 
tical  technique  and  example  results. 

Total  Measure  of  a  System 


There  is  no  generally  accepted  definition  of 
the  total  measure  of  oyoten  performance.  If, 
however,  we  exclude  the  question  of  cost  as  being 
outside  the  immediate  purview  of  this  paper,  we 
may  define  a  measure  which  is  a  suitable  ocr.crip- 
tion  of  many  military  systems  as  "the  probability 
that  a  complex  of  equipment,  personnel,  and 
procedures  will  successfully  respond  to  and  sccosm 
plish  the  Intent  of  its  design  when  an  execution 
directive  Is  received  at  a  random  point  in  time." 
Tor  a  ballistic  Blocilc  oysters,  this  verbal 
definition  may  usually  be  reduced  to  a  function 
of  conditional  probabilities, 


f  * 


cd. 


P.  P„  P _ ,  P  P  w 

L  B»  njxl,  H  »h 


a] 


(1) 


where  the  symbols  denote  random  availability  Par, 
communication  reliability  Pc,  countdown  reliability 
pcd,  vulnerability  Pv>  flight  reliability  rf 
guidance  accuracy  Pc,  propellant  depletion  ? * . . 
penetration  probability  Pp#  warhead  reliability 
Pwh,  and  kill  probability  P^. 


Sc^pe  of  this  Paper 

It  io  the  intent  of  the  author  to  limit  thio 
paper  to  a  conn ide rat ion  of  the  first  fnctor  of 
thio  equation  (Par);  not  only  because  it  is  in  the 
area  of  maintainability  that  one  may  expect  to 
achieve  ni;.n  if  leant  3  rrpro*- omenta  in  an  already 
operational  system,  but  nlno  bceauoe  this  factor 
of  t.ho  equation  io  the  no3t  difficult  to  assess 
for  alii n tic  mlnsilc  nys terns.  The  crux  of  the 
difficulty  is  the  fnct  that  one  cannot  demonstrate 
the  readiness  of  a  ballistic  missile  system  to  the 
oame  degree  thst  can  be  done  for  aircraft.  Accor¬ 
dingly,  a  technique  is  required  whereby  the  actual 
alert  status  of  the  weapon  system  may  be  Inferred 
as  opposed  to  demonstrated.  This  paper  will  show 
that  such  a  method  of  inference  exists;  will 
dolincnte  the  factors  to  be  considered;  and  vtll 
provide  an  example  of  the  use  of  the  techalfsm 
involved. 


Availability 

Definition  of  Availability  l>  3'  6>  10 

Availability  may  be  defined  ns  the  probability 
that  a  mloolle  and  its  launch  complex  will  be 
nonfailed  and  capable  of  entering  countdown  when 
an  execution  directive  is  received  at  a  random 
point  in  time  after  initial  lnotallatlon  and 
checkout.  It  may  be  calculated  in  either  of  two 
vnyo, 

F  ■»  achieved  time  nonfailed  and  assigned  to  alert 
ar  achieved  total  time  in  use  (2) 

or 

°  -  expected  tire  nonfailed  and  assigned  to  alert 

expected  total  time  in  use  (3) 

In  the  first  calculation  we  deal  with  demonstrated 
fact.  In  the  second  calculation  we  moke  a  predic¬ 
tion  from  current  data.  It  is  the  latter  calcula¬ 
tion  with  which  we  shall  deal  here. 

The  Factors  of  Aval lability 

Operation  of  a  weapon  system  during  peacetime 
may  be  resolved  into  three  basic  activities 

alert 

checkout  and  calibration/scheduled 
maintenance /training  exercises 

.  repair  (unscheduled  maintenance) 


193 

4  » 


i 


duration  duration 

(if  required^ 

Figure  1.  Time  Line  Sequence  for  a  Purely 
Discrete  Monitoring  Policy 


Hie  way  in, which  the  basic  activities  are  related 
to  each  other  is  defined  by  the  management/main¬ 
tenance  policy  for  the  system.  Each  of  these 
activities  is  traditionally  considered  to  be  the 
resultant  of  the  Interaction  of  three  factors 

.  personnel 

.  procedures 

.  hardware 

Role  of  the  HanagemenV  Maintenance  Policy 

These  three  factors  and  the  measures  thereof 
are  meaningfully  related  by  the  system  management/ 
maintenance  policy  of  which  there  are  two  fundamen¬ 
tal  types.  In  the  first  instance,  illustrated  In 
figure  one,  a  system  may  he  subjected  to  a  discrete 
monitoring  policy.  That  Is,  the  equipment  la 
checked  "periodically"  to  determine  if  it  Is 
functional.  The  duration  Tc  of  an  "all  go"  check¬ 
out  may  be  constant  or  may  be  a  random  variable. 

If  one  or  more  repairs  are  necessary,  a  time  Tr 
is  required  to  repair/replace  and  recheck  the 
system.  This  duration  is  usually  a  random  variable. 
Subsequent  to  repair,  or  to  Tc  if  no  repair  Is 
required,  the  system  is  assigned  to  an  alert  status 
for  a  duration  Ts  during  which  it  is  as e vised  to  be 
nonfalled  and  le  held  In  readiness  to  perform  its 
design  function  if  called  upon  to  do  so.  The 
duration  of  T.  Is  quite  frequently  a  fixed  value. 


Figure  2.  Time  Line  Sequence  for  a  Continuous 
Monitoring  Policy 


The  second  type  of  maintenance  policy  is 
illustrated  In  figure  two.  Here  the  system  Is 
monitored  continuously  for  failures  so  that  the 
system  is  "up"  or  alert  for  times  tf,  where  tj. 

Is  the  time  to  system  failure  after  a  repair. 

(This  Is  a  random  variable).  The  system  Is  "down',' 
l.e.  in  repair,  diagnosis,  or  awaiting  repair 
for  a  time  Tr  whenever  a  failure  occurs.  In 
general,  Tr  is  a  randan  variable. 

For  most  complex  systems  a  real  maintenance 
policy  will  consist  of  a  mixture  of  these  two 
fundamental  policies. 

Failure  Distribution 

The  hardware  factor  of  availability  evidences 
Itself  as  a  failure  distribution.  For  complex 
systems  this  failure  distribution  will  be  exponen¬ 
tial,  but  the  failure  rate  may  differ  depending 
upon  whether  the  equipment  is  In  checkout  or  In 
alert. 

The  Concept  of  a  Test 

It  is  convenient  and  realistic  to  treat 
personnel  and  procedures  together.  Measureahla 
parsmeters  which  describe  their  Interactions  with 
hardware  nay  be  defined  through  the  concept  of  a 
"test". 

If  we  regard  a  complex  system  as  a  single 
unit,  then  a  checkout  or  a  continuous  monitor  may 
be  regarded  as  a  "test".  By  a  test  we  mean,  then, 
the  examination  of  a  set  of  functional  character¬ 
istics  of  a  equipment.  If  an  observed  character¬ 
istic  does  not  meet  the  requirements  Imposed  by 
the  test,  the  equipment  Is  rejected,  otherwise 
It  is  passed. 

The  test  will  have  four  basic  properties. 
First,  It  will  "pass"  or  "reject"  an  equipment 
at  a  specific  point  in  time.  That  is,  it  is 
assured  that  tlie  tesTdeclslon  occurs  at  a  well 
defined  point  In  time.  Second,  it  will  on  occa¬ 
sion  "false  alarm"  a  nonfalled  characteristic  of 
the  equipment,  i.c.  It  will  call  a  good  system 
bad.  Third,  the  test  will  sometimes  pass  a 
Tailed  characteristic,  that  is,  it  will  not  always 
reject  a  failure  which  it  presumably  Is  designed 
to  detect.  A  tost  which  does  this  too  frequently 
Is  one  of  poor  "quality".  The  quality  of  a  test 
we  shall  define  as  the  probability  of  detecting 
a  failed  system,  given  that  the  system  is  failed 
on  or  before  the  time  that  the  point  of  test 
decision  is  reached.  The  fourth  and  laet  property 
of  a  test  is  "coverage".  By  coverage  ve  shall 
mean  that  not  all  the  possible  equipment  function¬ 
al  characteristics  are  examined  by  the  test.  It 
Is  assarted  that  the  failure  of  such  a  characteris¬ 
tic  cannot  cause  the  teat  to  reject  the  equipment, 
since  its  effect  on  the  equipment  is  indeterminate 
from  the  test.  However,  we  shall  further  assvise 
that  all  equipments  which  have  failed  in  this 
manner  will  bo  eventually  rejected  by  either  a 
false  alarm  or  by  the  detection  of  a  failure  of 
on  observed  characteristic  of  the  equipment. 


194 


Repair 

When  an  equipment  lo  rejected  by 
le  repaired.  In  the  caoe  of  military 
will  generally  reduce  to  the  sequence 

.  diagnose 

.  remove 

.  replace 


+  TJ 

h  ♦ » 

-  Z - 

probability  of  no 
failures  of  any  kind 

a  teet  it 

y>i 

at  t  -  ^  +  Tc 

systems  this 
of  events 

i-i 

1 

p[Bdjtk  * 

1- 

probability  of  one  or 
more  failures  of  the 

"detectable  in  princi¬ 

LS 

ple"  type  »t  t  ■  t  + 

i-i 

.  re cheek 

It  has  been  noted  in  the  literature  that  the  repair 
distribution  for  complex  military  systems  tends  to 
be  loc-normol  in  form.  This  13  a  particularly 
difficult  distribution  to  handle  analytically 
and  in  this  paper  it  will  be  approximated  by  means 
of  the  sum  of  exponentials. 

Dlacrete  Monitoring  Policy 
Analytical  Definition  of  a  Test 

We  shall  commence  the  analytical  portion  of 
this  paper  by  formalizing  the  above  coneepte  of 
a  test  for  a  discrete  monitoring  policy.  Having 
accomplished  this  we  shall  use  the  notion  of  a 
transition  matrix  to  relate  the  test  to  the  re¬ 
mainder  of  the  maintenance  policy  and  the  equip¬ 
ment  failure  distribution.  Subsequently,  we  shall 
formalize  the  definition  of  availability  for  a 
discretely  monitored  system.  Finally,  we  shall 
turn  to  the  problem  of  a  continuously  monitored 
system. 

'.Tie  basic  time  line  sequence  of  events  for  a 
discrete  monitoring  policy  is  indicated  in  figure 
one.  The  period  Tc  1s  associated  with  the  concept 
of  a  "teet"  which  partitions  equipment  at  the 
"point  of  test  decision"  indicated  at  t  •  ♦  To. 

For  simple  equipments  this  will  generally  1 

be  a  real  point  within  Tc,  but  for  complex  equip¬ 
ments  3uch  a  point  will  very  likely  be  a  con¬ 
venient  mathematical  fiction.  It  Is  assumed 
that  at  the  point  of  test  decision  the  test  acts 
instantaneously  to  partition  failed  equipments 
from  nonfailed  equipments  as  indicated  by  the 
partition  of  figure  three.  Consider  the  action 
of  the  tc6t  at  thin  point  in  time  on  a  total  of 
H  ”  ■»  Hg  +  H3  +  Njj  *  N-  +  Ng  equipments  all 

of  one  kind.  (Alternatively,  one  equipment  may 
be  tested  N  times  in  succession  ard  may  be  either 
good  or  bad  at  each  tost. )  Let  K.  -  K_  be  the 
true  number  of  nonfailod  equipments.  Let  N-  +  H, 
equipments  have  one  or  more  failures  which 
are  inherently  detectable;  that  is,  they  contain 
failures  among  the  essential  characteristics  which 
are  examined  by  the  test,  but  they  vill  not 
necessarily  all  be  detected  because  of  "noise"  or 
because  some  of  the  failures  may  be  marginal. 

In  addition  let  there  be  N_  +  th.  equipments  which 
contain  no  failures  among  the  characteristics 
which  the  test  examines,  but  which  do  contain 
one  or  more  failures  among  the  characteristics 
which  are  not  examined.  We  may  now  make  the 
following  definitions  if  the  total  number  of 
equipmento  being  examined  is  very  large 


R5  +  K6  -  probability  of  one  or 
6  more  failures  that  ere 

V"  "inherently  unde tee ta- 

/  "l  ble"  »t  t  ■  t  +  T 

i-i  11  1 


These  partitions  of  the  true  facts  concerning 
the  etates  of  the  equipments  at  the  instant  of  test 
deelelon  ere  shown  in  the  left  hand  boxes  of  Figure 
3.  The  right  hand  boxes  of  Figure  3  show  the  par¬ 
tition  of  the  equipments  which  result  as  a  conse¬ 
quence  of  test  decisions.  If  a  1b  the  probability 
of  calling  any  nonfailed  characteristic  bsd,  given 
that  it  is  examined  by  the  test,  then  we  may  write 


and 


a  * 


a' 


v6 

v^- 


false  alarm  probability 


false  alarm  probability 


There  ie  no  physical  reason  to  presume  that  a 4-  a', 
hence  we  shall  write  without  further  Justification 


a 


-  a' 


We  further  define  e  parameter  P; 


1-Pa  "4 

v"^ 


probability  of  catching  an 
"inherently  detectable"  failure 


Theee  six  equations  may  be  solved  simultaneously 
for  Hg,  Hj,  Hj,  and  Ng. 

We  shall  make  use  of  the  following  notatlonnl 
definitions  in  that  which  follows: 


probability  of  passing, 
given  that  the  equipment 
is  good  at  ty  ♦  Tc 

probability  of  passing, 
given  that  the  equip¬ 
ment  contains  an 
inherently  detectable 
failure  »t  t  ■  t  ♦  T 

*  1 

probability  of  passing, 
given  that  the  equip¬ 
ment  contains  only  in¬ 
herently  undetectable 
failures  »t  t  ■  t  *T 
*  C1 


195 


K  *  \1  " 

“i  *  "af 

[Bd“k  *  tJ — * 

N3  +  V 

|b  ;t,  +  T  - ► 

N_  + 

l  u'  k  CjJ 

5 

N,  - *p[oAPjt,  +  T  1  \ 

_il  1  ' k  ciJ 

N - *P  B  AP;t  +  T  1  /  Called  good 

J_  1  d  k  ciJ  ^  Ben*  to 

I  alert  status 

Nc  - *p[b  AP;V  +  T  j  / 

5  L  u  lc  c,J  / 


\Jn, 


t4 


■*[»*<*„  * 
-'p[vp;\  *  TJ 

-*p[vp'tk  *  *J. 


»l+»2 


"5*  "« 


1  -  p  =  n3  +  n4 


called  Bad 
and  sent  to 
repair 


FIGURE  3. 

ACTION  OF  A  CHECKOUT  (TEST)  ON  A  SYSTEM 
THAT  IS  DISCRETELY  MONITORED  AT  THE 
"POINT  OF  TEST  DECISION,  "  t  =  +  Tc 


196 


<> 


N, 


*[0Ar>\  *  TcJ 


p[vf,Jtk  +  TJ  "  ^=T 


i  Yh 
Z/i 


probability  of  flunk¬ 
ing,  given  that  the 
equipment  is  good  at 


probability  of  flunk¬ 
ing,  given  that  the 
equipment  contains  a 
failure  which  Is 
"inherently  detecta¬ 
ble"  at  t  ■  t.  +  T 

Tc  C1 

probability  of  flunk¬ 
ing,  given  that  the 
equipment  contains 
only  "Inherently 
undete  ctable " failures 
at  t  =  t  +  T 

*  Cl 


Using  these  definitions,  the  following  matrix 
equation  for  the  test  results  may  be  written, 


p[°  APiVTcJ- 

P[BdAPjVTcj 

pkAPjvTcJ 

p[o  AFjyT,  ] 

p[b4Af,VtCi] 

pkAFiVTcJ 


1-a  0  0 

0  P  0 

0  0  1-a 

a  0  0 

0  1-P  0 

0  0  a 


p 

05VTcl 

p 

lwtcJ 

p 

BusY*=) 

(it) 


State  Vectors  and  Transition  Matrices 


7 


(k  + 

i)  t] 

*n 

*12 

p[oj  Jct] 

(k  + 

1)  tJ 

*21 

*22 

P  |bj  kt] 

- 

the 

elements  a 

(<  0f 

the  matrix  A  are  c 

(6) 


transition  probabilities.  They  describe  the  way 
in  which  the  state  vector  at  t  ■  (k  +  1)  T  is 
related  to  tho  state  vector  at  t  -  kT.  If  p  is 
the  probability  of  being  nonfailed  at  time  t  » 

(k  +  1)  T;  given  that  the  equipment  is  nonfailed 
at  t  =  kT  and  if  4  is  the  probability  of  being 
nonfailed  at  t  »  (k  +  1)  Tj  given  that  the 
equipment  is  failed  at  t  =  kT,  then 


pjcj  (k  +  1)  T 
p[b;  (k  +  1)  T 


J 

■] 


1-P  1-4 


R* 

p[B; 


(T) 


Note  that  the  sum  of  the  terms  of  each  column  of 
A  is  unity.  If  p  and  |i  are  constants  when  T  is 
a  constant  it  may  be  shown  that-  the  state  of  the 
system  at  t  -  kT  is  related  to  the  state  of  the 
system  at  t  -  0  by 


It  is  desirable  to  have  a  simple  way  of 
obtaining  Ak  so  that  the  state  at  t  »  kT  may  be 
related  to  an  arbitrary  initial  state  at  t  »  0. 
This  may  be  readily  accomplished  using  the  Cayley- 
H ami 1 ton  relationship.  This  relationship  states 
that,  if  A  is  a  n  x  n  matrix,  i.e.,  has  n  rows  and 
n  columns,  then  A*  is  given  by 


A  particularly  orderly  way  in  which  to 
approach  the  description  of  a  system  which  can  be 
in  any  one  of  a  finite  number  of  possible  conditions 
or  "states"  is  through  the  use  of  the  concept  of  a 
state  vector  and  transition  matrices.  Before 
proceeding  to  the  main  developments  of  this  paper 
we  shall  fir6t  treat  a  simplified  situation  in 
terms  of  state  vectors  and  matrix  equations  in 
order  to  familiarize  the  render  with  the  ideas 
involved. 


Ak  -  (1-1  ♦  PjA  +  BZAZ  +  ...  ♦  Ba.1An*1  (9) 


The  0.  are  determined  by  solving  the  n  linear 
tio 


equations 
k 


“i  -  P0  +  Vi  +  Vi2  ♦  •••  +  en-la,in'1{10) 


1  -  0,  1,  2,  . . .  n-1 


Let  it  be  supposed  that  a  system  is  to  be 
described  at  time  t  -  kT.  The  system  is  cither 
"good,"  i.e.,  nonfailed,  or  it  is  "bad,"  i.e., 
failed.  There  is  a  probability  associated  with 
being  in  either  condition  which  we  will  refer  to 
as  the  "state"  of  the  system  and  which  we  write 
as  the  column  matrix  (vector) 


nils  state  vector  is  related  to  the  state  of  the 
system  at  t  ■  (k  +  1)  T  by  a  transition  matrix  Aj 


where  the  m  are  the  so-called  "eigenvalues" 
found  from  tbe  characteristic  equation 


cat 


of  A 


- 

X  1  A 

r  i 

A-oi 

'H  - 

p 

0;  kTl 

(5) 

p 

Bj  kT 

l 

(au-<D)  (l-a,,-®)  (l-a„) 


12 


12 


“11' 


(U) 


p-00 

*11*® 

*12 

- 

1-P 

l*p-<D 

^iz-" 

(12) 

(13) 


197 


f 


"b  -  1»  *»i  -  an  -  ‘u  ■  P  -  •*  (lU) 


Therefore 


i  -  P0  *  P1 


«i  ■  eo  *  ei“i 


0O  ■  1  -  0i 


p|g;  kr]  j 

oo 

•—  p[bj  w] 


p[os  (k  ♦  J)  t] 

! 

p[bj  (k  +  J)  t] 


J  -  0,  1,  2,  .... 

If  we  substitute  (21)  into  (7)  and  transpose  the 
left  hand  side  to  the  right  hand  side} 


P1  ‘ 


and  from  Equation  (9) 


<“i  1  - 


P  -  1  F 


i  -  p  -U 


pTg;  ki'j 
p[bj  ctJ 


(i  -  an)  «plk  »u(l  -  aft 
l-oi^  1  - 


Now,  since 


„  lu  1-*u4aiA 
— 1  -  V1  "  )  - 1-  - 

In  the  limit  as  k — >oo  ,  the  steady  state  vector  is 
found  to  be 

ph  “]  Irr^TF 


p[o;  kt]  +  p[bj  tt]  -  1  (23) 

We  stay  solve  the  matrix  equation  as  follows. 
Expending  either  row  of  (22),  for  example  the  first 
row; 

r  ^  r  ^ 

(p  -  1)  p|0;  kT— >ooj  +  mP|B;  kT — »ooj  -  0  (zU) 

and  from  (23)  in  conjunction  with  equation  (2U); 


U 

-  P  +  U 


and  of  course 


p|b;  KT — >a>j  -  1  - 


1  J —  i  ^  ~  ? —  HbJ0  These  are  precisely  the  results  stated  in  (20). 

-P  +  ul-P  +  w  l  l 


I  1  -  P  +  M 


1  ~  P 

1  -  p  +  (1 


In  other  words,  the  steady  state  condiTiOfi  is 
Independent  of  the  initial  conditions . 

The  fact  that  the  terminal  probabilities  of 
the  state  vector  (20)  are  independent  of  the  ini¬ 
tial  states  may  he  put  to  good  use.  For  example, 
whenever  the  one  step  transition  matrix  is  mode  up 
of  constant  terms,  as  in  (7),  we  may  determine  the 
terminal  states  by  equating  the  state  vectors  at 
equivalent  successive  points  in  time .  According 
to  (19),  once  steady  state  has  been  reached; 


Application  of  Transition  Matrices 

let  us  now  apply  the  concept  of  a  transition 
matrix  to  n  simple,  but  realistic  situation. 

Consider  a  single  equipment  Group  which  is  tested 
and  rejected  (or  passed)  a6  a  unit.  We  6hall 
assunc  that  tne  durations  of  scliedulcd  alert.  Tg, 
checkout  times  T„  and  T-  arc  constant  and  that 
C1  c2 

the  probability  that  a  nonfoiled  equipment  will 
survive  a  time  t  is  a  function  of  t  only  (exponen¬ 
tial  failure  distribution).  The  time  sequence  of 
events  is  shown  in  figure  one  for  the  kth  mainte¬ 
nance  cycle.  Wc  shall  as  Bums  that  each  maintenance 
cycle  starts  with  a  checkout.  We  6hall  further 
assume  tnot  all  failures  are  detectable  in  principle, 
hence  the  system  is  describable  as  being  in  either 
of  two  states,  "good"  or  "lad".  The  state  of  the 

system  at  time  t  »  t.  +  T  Just  prior  to  test 
k  cx 

decision  is  related  to  the  state  of  the  system  at 
t  ■  t^  by  the  matrix  equation 


198 


-where  Pc  Is  the  probability  that  the  equipment 

survives  T.  ,  given  that  it  wan  good  when  it 
C1 

entered  ehockout.  The  teit  decision  partition*  the 
system  vith  the  transition  probabilities  indicated 
in  figure  three.  Hence,  at  time  t  ■  tw  +  T- 

1 

inraediate ly  after  the  test  decision  Js  mode 

p[oAPi  tk  ♦  Tc J  1-0  0  p[oS  tk  ♦  Tc j 

P[^P,  ^  ♦  TCJ  0  »  PfB' 


p[q\F,  ^  *  TeJ  -  a 
p[ft\r;  ♦  tj  o 


The  state  of  the  system  at  entrance  to  standby 
depends  upon  whether  the  system  wo a  nonfailed  and 
passed  the  test  or  whether  it  failed  the  test  and 
was  sent  to  repair.  Considering  only  the  possi¬ 
bility  of  a  perfect  repair  we  have  at  t  •  tg 
(entrance  to  scheduled  alert)  _  k 


’lGi  \li 

■a 

'l*1  *J| 


?[cAP;t.  ♦  t  1 
iJ 


1  -  P„  1  0  0  |  plB/\P;t.  +  T 


jpfcAF;tk+Tcj 

i  r  "*1 

P[BAF;tk  *  Tc  J 


where  Pc  is  the  constant  probability  of  surviving 

the  remainder  of  checkout  after  the  test  decision 
is  mode,  given  that  the  system  was  passed  and  was 
in  fact  nonfailed.  Note  that  if  the  system  is 

good  and  passing  at  t  ■  t.  ♦  T  no  T  occurs  and 
k  c.  r 

consequently  the  a  term  of  the  transition  matrix 

is  P  not  P  P  . 
c  c„  r 


The  state  of  the  system  at  entrance  to  the 


succeeding  j:he  ckout  interval  is 


r\ 

ri=-  vj 

P  0 

• 

'[•■  *kj 

1  -  p  1 

0 

__  — 

(30) 


Where  Pg  is  the  constant  probability  that  the 

equipment  survives  Tg,  given  that  it  enters  Tg 
good.  Therefore  the  state  of  the  system  Just  prior 


to  the  noxt  tost  deeioion  is  rotated  to  the  state 


of  the  system  at  tho  previous  test  decision-  by 
the  product  of  the  four  transition  mntrlces  (27), 


(28),.  (29),  and  (30). 


al  *  Vc(1  ‘  a)  ♦  P,Pc  a 

Oj  -  (1  -  0)  Ps  T 


(32) 


This  equation  is  the  single  step  transition  between 
successive  test  decisions. 

From  (l*t),  the  eigenvalues  of  this  two  by 
two  matrix  of  constant  transition  probabilities 
are 

“b  *  1 

"L  "  *11  '  *12  *  P.Pc1  [°  +  Pc2(1  *  0t)-(1  *  Pj 

(33) 

From  (19),  the  Initial  state  of  tha  system  at  t  • 

T  is  related  to  the  state  at  t  •  t.  Just  prior 

Ci  * 

to  test  decision  by: 


and  it  follows  that  in  the  atcody  state 


199 


P  0)  t.  +  T  — -cd 
k  C1 


lp[B)  Sc  +  \~*°] 


P,PCi(l-P) 


l-P^Ja-U-fO+P^fl-ajj 


p.peu-p) 


l-PeP^la-(l-B)*P^(l^.)J 


=  PK  +  Tc  — >”]  <35> 


Because  ve  have  specifically  assumed  constant  tran¬ 
sition  matrices  in  this  example,  ve  could  have 
obtained  the  result  (35)  by  the  alternative  proce¬ 
dure  of  equating  the  state  vectors  at  like  points 
in  ^ime  ns  noted  in  (21). 

Note  that  all  other  states  in  the  kt.h  period, 
or  in  the  6tcndy  state,  are  determinable  from 
equations  (34)  and  (35)  respectively  by  one  step 
transitions.  For  example,  in  the  steady  otate  as 
— >oo,  the  state  of  the  system  at  cntionce  to 
standby  is  obtainable  from  the  product  of  equations 
(28),  (29)  <md  (35);  _ 


p[o;  tg->oo]  p 


[b;  t -*»] 


r%  1 


thst  equipment  was  nonfsiled  at  en¬ 
trance  to  T 

8k 


-  J  a  -  ?[t]) «  «» 

r  i  0 

vlicre  Fit  lia  the  equipment  failure  distribution. 

The  total  duration  of  "n"  cycles  la  given  by  sum¬ 
ming  up  the  durations  of  T  ,  T  ,  and  T  if  It  occurs- 
That  la,  a  c  r 


1  -  a  0 


o  i  -  e 


r  i  1  •  Vc  H1*)*.  C1  -  °) 

p[0,tk*Tei-H  11  z 

_  i  -  e _ i 

p[b;  tk  +  Tc^o)]  1  -  P^jB-a-dJaP  (1  -  a) 


Availability  of  a  Discretely  Monitored  System 


Wo  are  nov  in  a  position  to  define  the  avail¬ 
ability  of  a  discretely  monitored  system.  Consider 
the  definition  (3)  and  the  basic  cycle  of  figure 
one.  Defining  zero  time  as  being  st  initial 
installation  and  checkout,  this  basic  cycle  repeats 
itself  "n"  and  a  fraction  number  of  times  In  some 
interval  of  time  "t".  According  to  the  definition 
(3)  ve  must  calculate  the  ratio  of  the  expected 
amount  of  nonfsiled  time  to  the  total  time  "t" . 
Ignoring  the  fractional  cycle  left  over,  the  expected 
amount  of  nonfsiled  time  Is  given  by  sumalng  up  to 
"n”  the  product  of  being  nonfsiled  at  entrance  to 
T.  and  the  expected  time  nonfailed  In  Ta.  That  Is, 


Expected  good  ,  1  r  T 

time  duration  in  .)p  0;  t  E  T  (37' 

"n"  cycles  1  Bir  1  8 kJ 

P  0;  t  I  -  probability  of  being  good  at  entrance 

1  V  to  Tt 

E  T  •  expected  time  nonfsiled  In  T  ;  given 

1  kJ  "k 


Expected  duration  of  "n" 
cycles 


— 1  a 

-2  (E[\I  +  E[TcJ+  Pb  *k  +  TcJ*[Trk]>  (39) 

g[rs  j-  expected  durstlon  of  kth  alert  interval 
E[tc  j-  expected  duration  of  kth  checkout 


KIT  j-  expected  duration  of  kth  repair/replace 
>■  rk*  cycle  if  It  occurs 

p|,(  t.  +  T  1-  probability  of  being  rejected  st 
t  8  clJ  the  test  decision  point 

Therefore,  In  general  for  "n"  complete  cycles, 


200 


201 


m,  -  Pnrc  [«  *  Pr  (  l  ■  «)  -  (I  -  I')  (•>•) 


frit  we  Wiy  Get 


r 

*V°t  •  "S  tt**  [•  —  j 


I1  *ri« •  pri>l'fil'l  l!l.v  Ui-it.  of  l.lio*'-'* 

'*T  rh»»r  rl  I'Mrn  »*f  the  aynl"!*  which  nr*' 
rl  will  fell  during  rlr'ekout  b^fop* 

tin*  »*tI.  rb»r  l  r.  I  on  In  mal"  . 

P  **  T1i»*  probability  that  non**  of  those 
V  rim  meter  In  l  lea  of  tlio  r;vn*.*’n  which  are  not 

1.  t«M-.i.fil  will  fnll  during  cl  lockout  before 
tlm  tent  tier  I  a  loti  1m  mad-*. 


*"  (  rnr«-,[rT  *  "c  (l-nl-d-P)]] 

\  ) 


This  expression  has  the  diia.mslonn  of  tlwr.  It  In 
•  Measure  of  the  expected  time  required  for  tl»e  ntati* 
probnbllitlea  to  reach  their  asymptotic  values, 
given  that  the  system  Initially  enters  checkout  In 
a  fnlled  condition. 

Imperfect  Repair  and  Unde  tec  table  Failure* 


The  above  rcBult*  «ny  be  readily  gene rail red  to 
ecccunt  for  the  possibility  of  imperfect  repair  and 
an  inherently  undetectable  folium  rote.  If  we 
define 

P  »  The  probability  that  none  of  thoec  charncterl* 
T  tic*  of  the  system  which  are  tested  will  fail 
during  Tg,  given  that  they  ure  non  fa  lied  st 
entrance  to  that  Interval. 

P  -  The  probability  that  none  of  those  chanic- 
T  terlstlc#  of  the  system  which  arc  not  tested 
"  will  fall  during  TR ,  given  that  they  are 
non  failed  l«t  entrance  to  that  Interval. 


T.  «  Tim  probability  that  none  cf  thooe 
T  rlmr'CterlsUcn  of  Ilia  aynhem  which  ere 
c?.  tend'd  will  fa  1 1  •hiring  Tc  ,  given  Mm*t 
they  are  nonfat UmI  «t  the  7  tent  decision 
end  «»re  panned. 

F  ••  The  probability  that  non"  of  Hose 
'V  ch«ract"rl ntlcn  of  ».h"  nyul.i,m  which  sre  not 
C ?.  ter.led  will  fnll  during  Tr  ,  given  tlmt 

they  nm  nonfallcil  st  th"  7  tent  deelnlon 
nnd  Hie  erjulimr^nt  In  panned. 

M^-  Tlie  prohnbllity  that  n  replaced  unit  Is 
nonfniled. 

Mg*  The  probability  that  n  replaced  unit  Is 
fulled  In  nn  inherently  detectable  winner. 

“Ml"u2*  T,,C  Prohnl,lllty  that  s  replaced  unit  Is 
failed  In  on  Inherently  undetectable 


X  -  Failure  rate  of  the  Inherently  detectable 
characteristics  during,  T^. 

X  •  Failure  rate  of  the  Inherently  undetectable 
U  characteristic*  during  T  . 


Olven  the  above  dcflnltlonn  It  can  be  nhown 
thot  for  the  an  mu  cycle  (uid  conn  train  ta 
dlscuaurd  earlier 


202 


« jr- 

-u* 


Continuous  Monitoring  Policy  for  Repair 
~  by  Remove  and  Replace 


foil  detectobly. 


Dofinltlona  and  Assumptions 


Let  it  be  aesumed  that  failures,  false  alarms, 
failure  detection,  restoration  of  false  olorms  to 
3eryice,  and  repair  of  failures  are  Poisson  dis¬ 
tributed.  We  define, 

X  -  failure  rate  associated  vith  the  charae- 
a  teristlcs  of  the  equipment  which  are 
monitored  in  a  test.  A  failure  of  a 
monitored  characteristic  is  "inherently 
detectable  in  principle ." 

X  -  Failure  rate  associated  with  the  charac- 
U  teristics  of  the  equipment  which  are  not 
monitored  during  testing.  A  failure  of 
such  a  characteristic  is  "inherently 
undetectable  in  principle"  since  it  is 
always  unobseived  by  the  test. 

<3  -  False  alarm  rate  associated  with  the 
c  monitored  characteristics. 

e  •  Bate  of  detection  of  failed  characteris¬ 
tics  of  the  "inherently  detectable  in 
principle"  class. 

U  ,  .  Bate  of  restoration  of  equipment  to  the 


p  .  •  Bate  or  restoration  oi  equipment,  so  tno 
nonfniled  state,  (it  is  specifically 
assumed  that  repair  is  by  remove -end- 
replace  so  that  the  state  of  the  equlp- 


•  The  equipment  cannot  fail  during  repair. 

We  define  the  following  notation 

P  It]  -Probability  of  being  "up"  (assigned 
u®'-  J  to  service)  and  "good"  (nonfniled) 
at  time  t. 

P  |t|  •  Probability  of  being  up  and  bed, 
u°d  L  J  (failed)  but  detectable  in  principle 
at  time  t. 

P  b  |t  «  Probability  of  being  up  and  bod,  and 
u  ^  not  detectable  in  principle  at  time  t. 


P.  jt  •  Probability  of  being  "down"  (assigned 
05 ^  ■*  to  repair),  but  ’good"  (nonfalled)  at 
time  t. 

P..  tj  •  Probability  of  being  down  with  a  detec- 

“d*-  J  table  class  of  failure  at  time  t. 

P  .  t|  •  Probability  of  being  down  with  an  un- 

“  -*  detectable  elesa  of  failure  at  time  t. 

The  Basic  Difference/Differential  Equations  Of 
Transition 


assumed  that  repair  is  by  remove -end-  In  view  of  the  assumption  of  exponential  bold- 

replnce  so  that  the  state  of  the  equip-  ing  times  for  the  failure  distribution,  at  al.,  the 

ment  leaving  repair  is  independent  of  the  following  difference  equations  any  be  written: 

state  during  or  entering  repair.)  rl  r  f  r  1 


Further  assume  that 


state  during  or  entering  repair.)  r  ,  r  (  ■)  rl  . 

,  ,  H ’  pug M  1  +  vu  +  ac> A  4  +  pdgLt]»iiit 

»  Bote  of  restoration  of  cqull*nent  to  ser-  J  1 V  ' 

vice  vith  one  or  more  failures  of  the  (55«) 

inherently  detectable  in  principle  clasa .  r  fl 

*  +  pdb  ITU*1 

-  Bote  of  restoration  of  equipment  to  a  u 

service  with  one  or  more  failures  of  the 

inherently  undetectable  in  principle  p  ft  ♦  Atl-  p  [tVdt  ♦  P  .  [t|(l  -  .at) 

class,  but  no  inherently  detectable  failures.  ubj(  J  ugl  j  d  ub^L  J 

slate  that  ^  ^ 

All  equipment  Is  monitored  continuously.  +Iag[<]  wl^'t  *  Pdbd[tjMlzAt  *  Pdbu[tJu12*t  *  PubJ']^l*t 


•  Failures  of  the  inherently  undetectable 
in  principle  clnas  con  be  caught  only 
by  false  alarming  one  or  more  of  the 
nonfalled,  observed  characteristics. 


•  An  equipment  is  eit’.ier  nonfelled,  failed 
detectably,  or  failed  unde tectably,  and, 
If  failed  unde *ee tab ly,  may  subsequently 


Z03 


t 


PubJt  «At]-  *  pubJt](l  -  (ae  *„>*] 

(55c) 

+  V  [t]‘‘l3Ak+Pdbu[t]‘‘i3A^4d[t]'‘l3At 


which  for  the  equation  Ret  (57)  Is, 

« 

•rH 


“11  8  <Xd  *  nc> 


dgl*  +At]*  vHacA  *  +  ^“ll")  <554) 

db  [t  tj  -  Pub  [tleAt  +  Pdb  Jtjfl  “h^t*-^)  The  trnnnlent  solutions  to  (57)  e«y  »1bo  be  remli- 
d‘  dl  J  d  '  \*X  ly  obtained  but  are  of  esRcntleHy “ftcndnfwlc  Inter- 


(ac+VXU)(8K+Xa*'1ll-“l3)*aelJ12Ad^“lJ 

(62) 


Pdbu[fc  +Atl-  *.bu[*K*  +  PdbuHf  S  *u*}<>*) 


All  other  transitions  ere  of  higher  order  irvftt 
and  hence  may  be  neglected.  Noting  that 

Ub  p[b  *tj-  p[t]  .  dpjtj  L  Al  (■*> 

A  -»o  51  **  ■'  1 J 

We  any  write  the  above  set  of  difference  equations 
as  a  set  of  differential  equations  by  :-sp laying 


ept  except  for  th^  dctcrral nation  of  the  distribu¬ 
tion  of  up- to -down  and  down -to -up  times. 

Mixed  Maintenance  Policies 


In  general,  If  a  system  consists  of  k 
subunits,  each  of  which  hno  a  probability 
of  being  nonfalled  and  assigned  to 
the  availability  of  the  system  as  a  whole  will  be 
given  by 

T  K 


Ste  of  k  ^ 
ability  P  t| 
alert,  “«lU 


p  t 

Ugl 

V.H 

"-.W 

W*] 

W*1 


- 

-<Xd  +  X»  4  °c)  0  0  “11  “11  “n 

’S 

Vd  vd  “12  “l2  “l2 

W1 

xu  0  -(<vV  “13  “13  “13 

p.»„N 

as 

0  .  0 

'oH 

0  e  0  0  u  0 

P  [tl 

^7 

pdbau 

I 

O 

O 

Q 

« 

O 

O 

ay 

»-* 

p»„H 

J 

L 

(57) 


Stesdy  state  Solution 

The  steady  .tote  solution  for  each  coaponent  If  the  mlntenance  pollelee  of  eoch  of  the  eubunlte 


of  the  state  vector  my  be  obtained  directly  by 
noting  that 


and 


lim  Pit]-  0 
t— *ao  1  J 

Z'uH 


■  re  Independent  In  the  aenae  that  the  mlntenence 
policy  of  the  1th  subunit  la  unrelated  to  that  of 
the  jth  subunit,  e.g.  scheduled  or  unscheduled  down 
(58)  tine  for  the  ith  subunit  does  not  lsply  that  down 
tlas  is  required  of  the  Jth  subunit,  and  If 


1  for  ell  t. 


(59) 


llB  F^;  Jtj  estate 


«*) 


1. .1 


llB  P. 
T — >00 


Also  froa  the  definition  (3),  It  my  be  shovn  that  one  my  vrlte 
P.rH*f  f  PugHdt  <*» 

ParH*PugH  (6l) 


Hence 


“HVX  ij  I’  s!‘i“  'If  sH 
I  P-,H  ■  1 


204 


I 


In  p.rticulur,  if  u  system  consists  of  two  subunits, 
the  first  of  vhieh  is  continuously  nonltored  und 
the  second  of  which  is  periodically  monitored, 
the  uvuilnbility  of  the  system  ;•»  n  whole  in 
Given  'oy  the  product  of  e  [Uiitlono  ( 'j1' )  und  (62). 

In- general, -if -tlie_nuin.tcn'mec  policies  arc  not 
strictly  periodic,  i.e.  inspections  and  check¬ 
outs  re  not  hold  to  fixed  calender  d  ten,  rclu- 
tion  (65)  will  hold.  Note  that  this  will  alvays 
be  the  esse  when  one  subunit  utilizes  n  periodic 
policy  (strictly  periodic  or  otherwise)  and  any  num¬ 
ber  of  other  subunits  are  continuously  end  inde¬ 
pendently  monitored. 

Estimation  of  Parameters 
Statement  of  the  Problem 

The  preceding  developments  contain  a  number 
of  factors  such  asX^,  \u<  u^,  Ug,  or  and  (5  which 

sr~  ordinarily  not  directly  observable  quantities. 
For  exnmplc,  the  only  way  in  which  it  may  be 
determined  by  direct  observation  that  n  system  is 
nonfailed  is  to  attempt  to  operate  it;  but  the 
very  act  of  operating  the  system  imposes  stresses 
that  may  cause  system  failure.  If  one  is  attempt¬ 
ing  to  determine  the  quiescent  failure  rateX  ,  how 
can  we  differentiate  between  failures  due 
to  turn  on  stress  and  runntnc  stress  from  those 
arising  from  the  stresses  of  the  quiescent  mode 
of  operation?  The  obvious  answer  is:  by  failure 
analysis.  This  answer  Is  usually  not  at  all 
satisfactory  once  the  system  has  left  the  engineer¬ 
ing  development  stage  and  become  operational. 

The  limitations  of  existing  field  data  reporting 
systems,  the  expense  of  retaining  the  required 
technically  qualified  personnel,  the  logistic  back¬ 
log  of  unrepaired  items  -  -  these  and  a  host  of 
related  factors  make  extensive  failure  analysis 
quite  an  impractical  undertaking.  Fortunately, 
there  is  an  adequate  alternative  -  -  statistical 
Inference.  The  method  of  statistical  inference 
soy  be  understood  by  resorting  to  oversimplified 
examples. 


point  of  test  decision-' 
i.c.  decicion  as  to 
whether  equipment  Is  failed  or 
nonfailed 

Figure  U. 


let  there  be  two  groups  of  initially  nonfailed 
equipment  numbering  M,  and  H,  total  items  respec- 

J.  u 

tlvcly.  let  the  equipments  remain  in  the 
quiescent  mode  for  a  time  t  and  the  Mg  equip¬ 
ments  renin  in  the  quiescent  mode  for  a  different 
time  T  .  Bach  group  is  then  subjected  to  a  test 

*2 

of  fixed  length  T  ,  at  the  end  of  which  it  is 
observed  that  k^  have  failed  In  the  first  group  and 
.  have  failed  in  the  second  group.  The  probability 
that  exactly  k^  failures  will  be  observed  In  Mj 
trials  la 


(67) 

(69) 


Periodically  Monitored  System  ' 


For  convenience,  define 


Referring  to  figure  four,  consider  a  periodi¬ 
cally  monitored  system  which  is  subjected  to  two 
modes  of  operation  during  each  of  which  it 
exhibits  an  exponential  failure  distribution. 
IXirlng  T§  it  is  in  a  quiescent  mode  of  operation 

where  it  exhibits  a  failure  rate  X^ .  IAiring  Te 

it  is  operated  to  determine  whether  it  has 
failed.  The  failure  rate  during  this  time  isX^. 
Assume : 

.  the  point  of  teat  decision  corresponds 
to  the  end  point  of  Tc 


*i  4  kj  (69) 

then  the  maximum  likelihood  estimate  X§  for  tbs 
true  failure  rataX^  is  given  by  solving  th>  aqua¬ 
tion  sat 

->*. 

~rr-  -  oj  1  -  1,  2  (to) 

e)  s 

By  straightforward  oanipulation. 


205 


-i-,-  -Ax 


Contlnuoualy  Ntonltored  System  10 

Estimates  of  the  pyrometers  of  a  continuously 
monitored  system  are  equally  ensv  to  obtain.  Con¬ 
sider,  for  example,  a  simple,  continuously  moni¬ 
tored  system  that  can  occupy  the  three  states, 

.  nonfallcd  end  assigned  to  alert  (U  A 0) 

.  nonfailod  but  false  alarmed  ( D  AO) 

.  down  in  repair/replace  (DAO)V(DAB) 

Where  the  mean  rates  of  transition  between  these 
states  are  X,  a,  aad  u  as  indicated  in  figure  fire ■ 


the  time  to  apparent  failure  for  the  i  system, 
let  4.  equal  the  time  for  repair  or  replacement 

*  Lk  f  k 

of  the  1  syotem  and  let  f(i)  ■  1  if  the  i 
•  oystem  experienced  a  renl  fuilure,  and  let  f(i)«0 

if  the  1th  system  experienced  a  fslse  alarm. 

Since  the  expected  value  of  u^,  E(u^)  -  1 

it  follows  that  (®+X) 


i  ■  (oTTT 


Therefore  an  estimate  of  1  is  obtained  by 
computing  ^ 


n . 

,1”. 


*  figure  5. 

UAO 

^ is  the  real  failure  rate,  a  le  the  false  alarm 
rate  and  u  le  the  repair  and/or  replacement  rate 
for  both  tha  D A B  and  D  A  0  eta tee .  An  important 
point  to  be  noticed  le  that  the  average  time 
(expected  ti«)  for  e  transition  from  UA  0  to  DA  B 
equals  1  .  Similarly,  the  average  tronel- 

(<*  ♦*•) 

tion  time  from  UAO  to  dAo  equals  1  .  The 

TaTxT 

beele  reason  for  thle  phenomenon  le  that  the 
causes  of  falee  alarm  and  tha  causes  of  reel 
failures  ere  acting  concurrently. 

The  expected  time  from  U  A  0  to  down  (apparent 
failure)  equals  the  probability  that  an  apparent 
failure  Is  actually  a  falee  alarm  a 

TaTTT 

multiplied  by  the  expected  (average)  time  to 
false  alarm  1  plus  the  probability  that 
(a  ♦  X) 

an  apparent  failure  is  actually  a  real  failure 
V  multiple!  by  the  expected  time  to  real 
(a  ♦  X) 

failure  1  That  is 

(a  ♦  X) 

(aTTT  (a-h)  +  ~  (s4t)  '  aTT 


Similarly  the  expected  repair  time  equals 


[ts^ryj  ‘ 


An  estimate  of  X  (the  proportion  of  apparent 

failures  which  I?tJaily  vara  real  failures)  oan  he 
obtained  by  computing 

<» 


Then  an  estimate  of  X,^  le  obtained  by  ooamutlng 
M  M 

-’.Si  <* 


Similarly 


1  •  xA'U> 

a  ■  —  —  ■ 

& 


Sines  the  expected  value  of  dj, 


Nov  suppose  up  time,  down  time  and  a  failure 
analysis  lo  obtained  for  M  systems,  Let  Uj  equal 


:(di)-  h  Efed)  “x 
V  1-1  / 


206 


I 


therefore  the  estimate  of  t&  Is  given  by 


Ibis  equation  inverts  to  the  general  fora, 

-<V\l  *0*  -Bt 

puu  It]  .  A  e  d  ^  4  B  e  et 

„  -<vxd>* 


Thus,  the  estimate  of  each  of  the  parameters  of  this 
model  X,  a  and  4  are  obtained. 

It  will  be  noted  that  vo  have  assumed  the  need 
for  failure  unalynia  in  the  case  of  a  continuously 
monitored  system.  We  can  partially  eireunvent  this 
necessity  by  fitting  the  theoretical  distributions 
of  up-to-dovn  and  dovn-to-up  tinco  to  actual  field 
data.  For  example  the  apparent  failure  distribution 
for  a  continuous  monltorlnG  policy  may  be  obtained 
from  Equation  net  (57)  by  netting  the  repair  rutes 
equal  to  tero  nnd  selecting  the  initial  conditions 
such  that  the  system  la  initially  up.  Because  the 
factors  e  and  ae  are  Involved,  the  •'esult  will  not 

be  the  true  system  failure  distribution,  but  rather, 
the  distribution  of  up-to-dovn  times .  Vs  have  from 
(57),  _  r_ 


'(\l  +  XU  +  °c) 


111 


pub  i*J 

U 


(ac  *  e)  Puh  (°J  4  Xd 
a 

ae  4  Xd”-° 


B  4  C  -  1  ’ 

This  is  the  probability  of  remaining  up,  given  that 
the  equipment  is  initially  up.  Note  that,  although 
each  of  the  parameters  e,  ac,  Xu,  and  Xd  ara  asso¬ 
ciated  vith  exponentials,  the  resultant  of  their 
interaction  vill  not.  In  general,  be  an  exponential 
since  the  sun  of  exponentials  Is  not  representable 
by  a  single  exponential  term.  There  are  four  possi¬ 
ble  exeeptlons.  (con’t  page  15) 


Pugt*J 


Ptlh  1*1 


-K  +  Xd)l  lpub  t*> 

J  L  J 


PHg  I°1  +  PUb  I°1  +  Pub  M  *  1 

d  u 


by  assumption. 

Taking  the  Laplace  transform  ^  of  (8b) 


Pug  (°)  -<■  4  Xd  4  N,  4  ac> 


Pub  lol 
a 


P  .  [o] 

ub  1  J 
u 


where  the  probability  Pyu  [t]  of  reralnlng  »rp,  given  that  the  syetaa  Is  Tnlvfc 


0  0  Pug  [0] 

■(* 4  o)  vd  V  1,1 


-(s4Xd4ac)  Pub  [S] 
u 


Puu  1*1  ’  Pug  1*1  4  Pub„  1*1  4  Pub  1*1 


-(■  4  c>  (■  4  ae  4  Xd'  ’uc(o]  4  Xd  4  X, 


-(“  4  e)(("  4  X.l  4  Xu  4  ac)rubu[o1  4  XuPug[oJ 


U  4  ac)  {(.  4  ac  4  ka)Pub  (o) 


4  XdPubut°l  4  XdPugI°l] 


(•  4  xd  4  Xu  4  acl  4  *1  (•  4  ac  4  Xd! 


207 


(93) 


Therefore 


Pdd  ItJ  -  •  -  (99) 

TYil  r.  1b  the  probability  of  remaining  down  given 
that  the  equipment  is  initially  down. 


then  the  net  distribution  io  a  single  exponential . 
•The  second  and  third  possibilities  ore  extremely 
unlikely  to  occur  in  practice.  Hie  fourth  poasi- 
bllity  will  not  be  observable  from  field  data, 
provided  that  the  system  has  reached  steady  state. 
Once  steady  stats  is  achieved  we  will  observe 


1-1 


Examples 

Scope 

We  shall,  very  briefly  Illustrate  three  applica¬ 
tions  of  the  above  developments. 

.  A  fit  of  the  theoretical  up-to-do-n  distri¬ 
bution  to  the  field  data  of  a  continuously 
monitored  system. 

.  A  fit  of  the  theoretical  down -to -up 
distribution  to  the  field  data  of  a 
continuously  monitored  aystem. 

.  Calculation  of  P,  a,  and  for  a  discretely 
monitored  system. 


which  will  quite  clearly  not  result  in  a  single 
exponential  tens  for  (t). 

The  net  effective  repair  distribution  may  be 
obtained  from  equation  set  (57)  by  assuming  that 
all  the  equipment  is  initially  down,  that  no  addi¬ 
tional  equipment  enters  the  down  state  after  t  -  0, 
and  then  solving  the  equation  set  for  the  time  to 
return  to  the  up  state.  In  this  esse  equation  set 
(57)  reduces  to 


(95) 


I0J  +  Pdb  101  +  Pdb  101  *  1  (96) 

and  the  probability  Pdd  (t)  of  remaining  down, 
given  that  the  system  is  initially  down,  is 

M  ‘  pdw  W  +  rdb.  ltl  +  Pdb  lt)  (97) 


Proceeding  exactly  outlined  above  ve  iave 


pdd 


Figure  six  illustrates  a  sample  of  data  for 
the  reported  up-to -down  times  of  an  ICEM  System. 
The  data  ls'given  in  arbitrary  time  dimensions  for 
reasons  of  security.  A  Chi  squared  test  of  the 
data  indicated  that  it  is  exponential  at  the  90Jl 
acceptance  level.  The  theoretical  distribution 
(equation  (89)  indicates  that  exponentlallty  of 
reported  up-to -down  times  is  consistent  with  tbs 
■naumed  model  if,  and  only  if,  one  of  the  four 
conditions  of  (93)  hold.  Subsequent  shop  action 
on  reported  failures  indicated  that  20^  of  the 
rejects  were  in  fact  good  (false  alarmed),  hence  . 
wc  ore  forced  to  accept  the  first  of  conditions 
(93),  i.e. 


Hence  the  arithmetic  smon  of  the  data  of  figure 
r*lx  (U.l  in  the  arbitrary  time  unite)  is  the 
maximum  likelihood  estimate  of  l/(a£  +Xd). 

rurther,  since  20%  of  the  rejects  were  In  feet 
good,  we  estimate  that 


A  (number  of  false  alarms)  1 

°c  "  (total  number  of  rejects)  '  d  e" 

(100) 

•  0.2  X  1  =-0.05  time  unit# 

ITT 


and  we  estimate  that 


(number  of  false  alarms;  W\  » 

total  number  of  rejects))'  d  c" 

/  (101) 


(1-0.2)  1 
571 


0.2  time  units 


208 


The  Down -To -Up  Distribution 

Figure  seven  illustrates  a  sample  of  dnta  for 
the  reported  dovn-to-up  t.imoo  ofanlCDM  System. 

The  dimensions  of  tin?  data  urc  arbitrary  for  reasons 
-of  parity .  The  previously  assumed  model  Indicated 
that  the  distribution  would  be  exponential  if  tlx; 
underlying  repair  ( remove /re place)  distribution 
wan  exponential  (99)*  As  indientod  in  figure  seven, 
the  field  data  suggests  that  the  underlying  dis- 
tribution  io  log  normal.  Thin  tendency  has  been 
noted  elsewhere  in  the  literature.  Since  this  type 
of  distribution  connot  be  handled  analytically 
recourse  to  the  "black  box"  technique  of  Morse11 
is  nocensnry.  Without  regard  for  the  actual  struc¬ 
ture  of  the  rcmove/replace/rcpair  process  we  may 
postulate  an  "n"  state  exponential  process  that 
duplicates  the  behavior  of  the  observed  dnta.  In 
the  present  instance  the  data  may  be  fitted  nicely 
by  assuming  t  we*  internal  a  to  ter..  A  failure  io 
assigned  to  the  first  down  state  with  probability 
"a”  and  to  the  second  down  state  with  probability 
"1-a".  Return  to  the  up  ctnte  from  the  first  down 
stntc  occurs  at  rntc  and  from  the  oecond  down 
state  with  rate  Under  these  assumptions,  the 

dovn-to-up  distribution  can  be  shown  to  be 

r  “U1  t  t 

Pw[tj  •  0  e  +  (1  -  a)  e  ( 102) 

The  curved  line  in  figure  oeven  shows  the  results 
of  assuming  a  two  atute  preccoo  for  the  observed 
sample  of  data.  It  will  be  noted  that  either  the 
two  state  exponential  proceoa  or  the  log  normal 
curve  are  equally  representative  of  the  oboerved 
data  , 

Parameter  Eotlmntlon  by  Inference  Methods  for  a 
Discretely  Monitored  System 

At  the  time  of  this  vrltlng  the  reoults  of 
estimating  parameters  for  discretely  monitored 
systems  iron  field  data  by  inference  methods  is 
not  complete.  However,  the  potential  usefulness  of 
the  method  has  been  investigated  in  detail  by  the 
Monte  Carlo  technique  on  an  IBM  7090  computer. 

As  an  example  of  the  reoults  which  have  been  achieved, 
consider  the  controlled  Ryotcm  exercise  indicated 
in  figure  eight.  Assume  that  each  time  that  a 
(sub)  system  leaves  repair  it  io  subjected. to  a 
sequence  of  three  checkouts  of  durution  T  '*'» 

T  »  and  T  (3)  with  the  test  decision  occuring  at 

w  C 


the  end  of 

each  checkout. 

Further  ossume 

fck  \ +  T 

,(!),  etc. 

(2)  L  t  (3)  1 

'  Tr 

T '  ^ 

-c  — T  C - *| 

P  [al 

P  (a)  P  (a] 

'  (») 

IP  Ip| 

prob[pppj  =  (l-|iVc)  P3iuPc(l-l’e)(l-o<)ft': 


♦  npJ^i-pWi-al*  Pn*p„3(i-a)3 


(103) 


'Tf~th i b '  sequence  1  fl  iVpta’tJTd  ~iX5f'^~Tryn t" mn ,  a  11  .of 
one  kind,  nnd  N  (ppp]  nre  the  number  of  cyntemn 
with  outcome o  FTP  etc,  then  it  can  be  shewn  that 
the  maximum  likelihood  ontimaten  of  0,  a,  Pr,  and 
\i  are  given  by 


1  - 


A 

a  - 


A 

Pc" 


n  [ml  -  ii  ferj 

N  jPFPj  +  N  [PFFJ  -  M  |Ff IM  -  H  [FPfj 
N  frFFl  -  H  [fTpl 

N  [PPfj  +  N  [fTFj  -  H  jPFPj  -  N|FTPj 

H  [~PPFl  4  H  (fPf!  -  N  fPFPl  -  H  ffTPl 
N  jpKFJ  +  N  [PFF(  -  N  [FPFj  -  N  |JPf] 


(10U) 


(105) 


(1D6) 


N  fepp]  ♦  H  iFPpj  +  It  FttpI  .  H  Tmo  * 

ft  .  _  _ - _ -  ItB 

**  K  7a  7T 

Pc  (a  -  1  +  p)  (107) 


Having  estimates  for  the  above  parameters,  an 
estimate  for  Vg  may  be  obtained  by  considering  a 


second  set  of  K  systems  coming  out  of  repair,  all  of 
which  enter  standby  and  remain  in  standby  for  the 
Barae  length  of  time  (T.)  and  which  are  checked  out 


Just  once  .  let  R  be  the  number  of  these  K  systems 
which  fall  the  checkout;  then  the  expected  value 


-X.T 


(106) 


of  (R/K),  E(K/K)  •  1  -  P  +  up  e  8  "(or  -  1  ♦  P). 

/  C 

Using  the  estimates  of  p,  u,  pc,  and  a  which  have 

been  obtained,  e  con  be  estimated  by  using  the  shove 
equation;  this  results  in 

„  (109) 

A 


iiJ  (»/*?- 1  *  P 


up  (a  -  1  +  p )/ 


Monte  Carlo  runs  of  the  sequence  of  figure 
eight  were  performed  many  times  using  the  "true" 
values, 


K  -  M  -  500 

a  -  0.1 

p  -  0.1  (110) 

p  «  0.0 

PC  -  0.75 

-  0.0021  failure  s/da  y 


Figure  0 

that  regardleos  of  whether  the  oyotem  fails  or 
puc6c 6  at  the  first  and  second  decision  it  is 
subjected  to  the  subsequent  checkout  without 
recourse  to  a  diagnocic/remove/rcplnce  cycle. 

There  are  eight  possible  outcomes  of  this  test 
sequence:  (PPP),  (PPF),  (PFP),(PFF),  (FPP),  (FTF), 
(FFP),  and  (FFF)  where  P  denotes  "pans"  and  F 
denotes  "flunk".  The  probability  of  any  one  of 
these  outcomes  is  readily  calculated,  for  example 


A  typical  run  yielded 

R  .  284  It 

[ppp]  -  135 

It  jm>j 

Tg  •  7  days  N 

JppfJ  -  50 

It  ^FPFj 

N 

jpFpj  -  10 

it  JffpJ 

N 

iffp]  =  76 

It  JfTFJ 

(hi) 

n 

29 

20 

158 


210 


I 


From  which  it  was  estimated  that 

$  «=  0.08 

A 

a  =  0.22 


=  0.80 


=  0.85 


(112) 


\g  »  0.0019  failures/day 
Bibliography 

1.  Barlow, R.  E.  /  L.  C.  Hunter  Reliability  Analysis 
of  a  One-Unit  System,  J.  of  ORSA  Vol.  9 ,  No.  2, 
pp  200  March-Aprll  I961. 


2.  Barlow,  R.  E.  /  L.  C.  Hunter  Optimum  Preventa¬ 
tive  Policies,  J.  of  ORSA  Vol.  B,  No.  1,  pp”9b 
Jan  -  Feb.  i960. 

3.  Coleman,  I.  J.  /  Abrams,  I.  J.  Mathematical 
Model  for  Operational  Readiness,  J.  of  CRSA 
Vol.  10,  too.'  1,  PP  126  Jan  -  Feb.  1962. 

4.  Gardner,  M.  F.  /  J.  L.  Barnes  Transients  in 
Linear  Systems,  John  Wiley  and  Sons,  Inc., 

8TwY6rk,  1942. 


5.  Horne,  R.  C.  Measurement  and  Prediction  of 
System  Maintainability,  ARINC  Pub.  -  Paper 
presented  at  Third  Conference  on  Maintainability 
of  Elec.  Equipment  sponsored  by  Elec.  Industries 
Assn.  San  Antonio,  Texas  7  Dec.  i960. 

6.  Hosford,  J.  E.  Measures  of  Dependability, 

J.  of  ORSA  Vol.  8  -  No.  1,  pp  53  Jan  -  Feb. 

I960. 


7.  Howard,  R.  A.  Dynamic  Programming  and  Markov 
Processes,  Tech.  Press,  MIT  I960. 

8.  Howard,  R.  R.  /  Howard,  W.  J.  /  Hadden,  F.  A. 
Study  of  Down  Time  In  Military  Equipment, 
proceedings  from  the  Fifth  Rational  Symposium 
on  Reliability  and  Quality  Control,  1959  PP  402. 

9.  Ramins,  M  Determining  Checkout  Intervals  for 
Systems  Subject  to  Random~pa Sure, land  iorp. 
Research  Memo  -  257b  June  I960. 


10.  Kaufman,  N.  Weapon  SyBtem  Availability  Models 
and  the  Estimation  of  their  Parameters,  ASQC 
Long  Island  Quality  Control  and  Reliability 
Conference  20  April  1963 • 


11.  Morse,  P.  M.  Queues,  Inventories  and  Mainte¬ 
nance,  John  Wiley  and  Sons,  Inc.  i95d. 

12.  Radnor,  R.  /  Jorgenson,  D.  W.  Optimal  Replace¬ 
ment  and  Inspection  of'stochastically  Palling 
Equipment,  Rand  Corp.  Paper  207^  16  August  19b0. 


212 


APPENDIX  II 


of 

EXAMPLE  B 

The  Probability  of  Launch  When  Two  Attempts  are  Permissible 


213 


INTRODUCTION 


It  is  assumed  that  the  sites  are  sufficiently  provisioned  that  two  tactical 
launch  attempt3-^aay-he-mad.e^-4n-the-envirrtniiient_^dii£h_exists  -post  first  attack, 
given  that  the  site  is  assigned  to  alert.  One  launch  attempt  may  be  made  if 
the  site  is  initially  off  alert.  It  is  the  purpose  of  this  appendix  to  de¬ 
rive  an  expression  for  the  probability  of  successful  launch  under  these 
conditions . 


DERIVATION 

We  shall  treat  a  simplified  situation  wherein  it  is  assumed  that: 

.  All  latent  failures  are  detected  by  a  tactical  launch  attempt. 

.  No  aborts  arise  from  false  alarms. 

.  Repair  of  an  aborted  launch  attempt  is  perfect,  occurs  at  a  net  rate 
Hc,  and  has  the  density  function 

Pl/.tj.)  =  tJ-c  e  C  r  (B-l) 


.  The  conditional  density  distribution  for  the  duration  of  launch  attempts, 
irrespective  of  the  way  the  attempt  terminates;  given  that  no  latent 
failures  exist,  is  given  by 


p(tCD)  -  L 


-L(WO) 


U-^CD~ 


(3-2) 


.  The  conditional  density  distribution  for  the  duration  of  launch  attempts, 
given  that  latent  failures  exist,  is  given  by 


pCW  =  6[tCD“e] 


(B-3) 


.  The  density  distribution  for  the  probability  of  system  failure  given 
that  the  system  is  initially  nonfailed,  is  given  by 


p[tf]  =  X^e 


where  XT  is  the  total  system  failure  rate. 

Jj 


(B-4) 


214 


There  are  three  initial  system  states 
.  Up  and  nonfailed 

.  up  and  failed  (unknown  latent  failure) 

.  down  (in  repair) 

We  shall  further  assume  that  the  only  permissible  state  transitions  are  de¬ 
fined  by  Figure  33-1,  State  1  is  a  launch  attempt  commencing  from  the  truly 
ready  state.  It  terminates  either  in  a  launch  (State  L)  or  an  abort 
(State  4).  State  2  is  a  launch  attempt  commencing  from  the  apparent  ready, 
but  a  truly  failed  state.  It  terminates  with  probability  one  in  the  repair 
State  4.  State  3  accounts  for  those  missiles  which  are  not  assigned  up  when 
the  execution  directive  is  received.  Only  one  repair  is  permitted  from  this  state. 
State  5  is  a  launch  attempt  entered  from  repair.  licit  from  State  5  to  State 
6  terminates  the  multiple  launch  attempt  sequence  in  a  permanent  down  state. 


The  conditional  probability  of  terminating  a  launch  attempt  with  a  launch: 
given  that  the  missile/site  is  nonfailed  at  the  time  of  initiation  of  any 
launch  attempt  is  given  from  Equations  (B-2)  and  (B-4)  by; 


D  r.  /T1  ;>tf  "^CD  _ 

P  Ut/Ua  GJ  =  e  L  e  l 

1  L 


U^CD-^  d  "CD 


f  -(M-L)  (tf-3)  , 

[»]  U  -  e  L  f  r  U[t,-3] 


•CDL"J  ) 


(B-5) 


where 


-\  t  -L(t  -0) 

i  J  o  LCDLo  CD  O[t0D.3l  d  tCD 


(B-6) 


Pl[tL/U  AG]  =  (\  +  L)  P  [»] 


-(4l+L)  (tL-3) 


U[tL-3] 


(B-7) 


215 


2.16 


MULTIPLE 


The  conditional  probability  of  terminating  a  launch  attempt  vith  an  abort; 
given  that  the  missile /site  is  nonf ailed  at  the  time  of  initiation  of  any 
launch  attempt  is  given  from  Equations  (B-2)  and  (B-4)  by; 


rt.  -Xr  t„  -L(tPT.-0) 

P2[tf/U  AG]  =  J  f  (1  -  e  L  CD)  L  e  CD  Uft^-e]  d  tCD 

0  i 


°  ,  (B-8) 

f  -L(t  -9)  -(Ih-Xt  )  (V0)  | 

-  il-e  f  -PCDM(l-e  -  f  )jU[tf-9] 


P0[t„/U  aG]  =  <  L  e 


f  -L(t.-e) 


-(1*0  (t  -0)1 
(^r)  e  X  f  ;U[t  -( 


j  (B-9) 


=  0  elsewhere 


The  conditional  probability  of  terminating  a  launch  attempt  with  an  abort; 
given  that  the  missile/site  contains  a  latent  failure  at  entrance  to  count¬ 
down  is  given  from  Equation  (B-3); 

P3[tf/UAB]  =  U[tf-9]  (B-10) 

and 

P3Ctf/U  AB]  =  6[tf-9]  (B-ll) 

The  conditional  probability  of  launch  in  two  or  less  attempts;  given  that 
the  missile/site  enters  from  the  truly  ready  state  is  given  by 

P^fi/tTAGj  =  P[tL  <  t]  +  P[tf  +  tr  +  tL  <  t]  (B-12) 

The  conditional  probability  of  launch  in  two  or  less  attempts;  given  that  the 
missile/site  enters  from  the  up  condition  with  a  latent  failure  is  given  by; 

PL[t/U  AB]  =  P[9  +  tr  +  tL  <  t]  (B-13) 

The  conditional  probability  of  launch  in  two  or  less  attempts;  given  that 
the  missile/site  is  in  repair  at  the  time  of  receipt  of  the  execution  di¬ 
rective  is  given  by. 


217 


PL[t/u]  =  P[tr  +  tL  <  t] 


(B-14) 


We  -mav-. -express -±.rne  readiness _ A  [”])  as  the  product  of  apparent  readiness 

P  [«]  and  the  probability  that  the  system  is  nonfailed;  given  that  it  is 

assigned  to  alert,  namely  P„ /„["]•  Then, 

Gy  ~ 


[°°] 


P  .  fool  =  _ I _ I 

'  s/uL  J  PUM 


(B-15) 


and  we  may  then  write  the  total  probability  of  launching  in  two  or  less 
attempts  as; 


PT  [t]  =  A  ["]  <  P[tL'  <  t]  +  P[tf  +  tr  +  tL  <  t]  (- 


f  r  L 


+  *uw  >  p[9  +  tr  +  tL  <  t] 


(b-16 ) 


+  (i  -  puH)  P[tr  +  tL  <  t] 


r  L 


This  expression  is  readily  evaluated  by  resorting  to  Laplace  transforms. 
We  have  that 

Pits]  PP[s]  Pj.Cs]  p  [s] 

PT[s]  =  A  [°°J  — - —  +  A  [°°]  - - - 

Li  S  S 


A  M  P,[s]  Pk[s]  p,  [s] 
+  P  [“]  (1-^t-t)-2 - =r - — 

UL  J 


(B-17) 


f  (i  -  pj>]) 


Pl^Es]  p-Js] 


where; 


P-Js]  = 


+  L)  FCD[ot]  e 
s+\  -t-L 

Li 


-s0 


218 


I 


—  -s9 

r  -i  L  e 

p2[s]  =  -5Fl- 


pgdC“]  (xl+l)  e 

s+\l+l 


-sO 


pjs]  =  e 


-S^J 


Pj.Cs]  =  - 


l+ljl 

c 


(B-18) 

(B-19) 

(B-20) 


Carrying  out  the  multiplications  indicated  in  Equation  (B-17)  and  performing 
the  inverse  transformation  we  arrive  at  the  final  expression, 

,  ~(VL)  ^-Q) 

P  [t]  =  j  A  [®]  PGDC»]  (1  -  e  L  ) 


+ -  puh?cdm  0-  -  ^r^rr 

^c  L 


uc  -(Xj+L)  (t-9) 
e 


UK 


\i-L-K 
c  L 


-Li  (t-9)  ') 

5  C  )(  U[t-9] 


(  L(UX.) 

>  a  W  pcdW  j  i  -  (,vL)  (vt>x)  « 


-Hc(t-20) 


.(UXL)  (t-29)  %(WXL)  ,L(t.29)] 

+  e  -  XTriTTET  e  !  uCt-2el 


PCL 


U  ‘  c 


J 


-  A  [°°]  P  2[«]  J  1 


(I*XL)  -nc(t-20) 


(B-21) 


CD  u  J  )  *  "  ,  _  V  \2 

(  ^c‘L-XL) 

(t-29)  nc  (U\L)  -(UXL)  (t-29) 
(m.c-l-xl) 


M.c(uc-2L-2Xl)  -(Irt-Xj.)  (t-29)  ! 


(|j,c-l-Xl)‘ 


(pur»]  -  a,[®])  ppn[®i  1 1  + 


U[t-29] 


) 

(J>XL)  -y,c(t-29) 


CDL 


|i.  -L-X 

c  L 


\ 


219 


_^c 


-(Ih-Xl)  (t-2Q)  } 

e  ( 


U[t-20] 


Or 


Note  that  as  t  — 00  j 


A  [“] 


rCDL  J 


PCD[»]  (1  -  A  c»]  PCDW  )  <B-22) 


It  is  unfortunate  that  neither  the  transient  solution  nor  the  steady  state 
value  can  be  expressed  as  the  simple  product  of  readiness  and  reliability. 
Due  note  should  be  taken  of  this  result  since  it  indicates  that  the  formal 
mathematical  structure  adopted  by  Task  Group  II  is  too  restrictive  unucr 
certain  circumstances. 


220 


APPENDIX  III 


of 

EXAMPLE  B 

Derivation  of  the  Expressions  for  the  Expected 
Change  of  Status  Delay  in  a  Several  Unit  System 


221 


INTRODUCTION 


In  a  system  composed,  of  several  subunits  all  of  which  enter  scheduled  check¬ 
-out  at  the  same  time,  the  system  as  a  whole  is  not  reassigned  to  alert  status 
until  the  last  subunit  is  checked  out  and/or  repaired.  Since  each  subunit 
is  itself  a  separate  system,  such  a  policy  implies  a  delay  in  the  change  of 
status  of  one  or  more  subunits.  During  this  delay  period  these  subunits  may 
fail  since  they  are  presumably  being  stressed  at  their  normal  standby  stress 
levels  while  waiting  reassignment  to  alert.  Therefore,  this  delay  time  should 
be  accounted  for.  It  is  the  purpose  of  this  appendix  to  show  how  this  delay 
time  is  computed  for  the  subsystem  <CDEFV>  . 

DERIVATION 

Table  C-I  is  a  truth  table  indicating  all  the  possible  down  state  combinations 
which  can  arise  from  the  <CDEF>  subsystem.  Zero  in  the  table  denotes  e  go 
checkout  for  the  individual  subunits  C,  D,  E,  or  F.  A  one  in  the  table  de¬ 
notes  a  no-go  checkout.  In  accordance  with  the  data  summary  (Table  II  of  the 
text)  we  obtain  the  total  system  checkout  time,  including  repair,  for  each 
possible  combination  of  subunit  states  as  indicated.  To  determine  which 
logical  combinations  of  the  subunits  give  rise  to  vhich  total  times,  let  us 
denote  the  fact  that  subunit  i  entered  repair  by  means  of  its  letter  desig¬ 
nator  i,  and  the  fact  that  it  has  a  go  checkout  by  i. 


» 


TABLE  C-I 

System  Down  Time  by  Subunit  State  as  a 
Result  of  Checkout  and/or  Repair 


c 

D 

K 

F 

Total  System  Down  Time 

0 

0 

A 

\J 

0 

T 

c 

0 

0 

0 

1 

F 

T  +  T 
c  r 

E  E 

0 

0 

1 

0 

T  +  T 

C1  r 

E  E 

0 

0 

1 

1 

T  +  T 

C1 

D  „  D 

0 

1 

0 

0 

T  +  T 

C1 

n  D 

c 

1 

0 

1 

w 

triU 

\  W 
Eh° 

0 

1 

1 

0 

T  +  T 

c.  r 

i 

_  E  m  E 

0 

1 

1 

1 

\  * 

1 

0 

0 

0 

T 

c 

m  F 

1 

0 

0 

1 

T  +  T 
c  r 

E  m  E 

1 

0 

1 

0 

T  +  T 

C1  r 

„  E  m  E 

1 

c 

1 

1 

T  +  T 

C1 

D  m  D 

1 

] 

0 

0 

T  +  T. 

C1 

D  m  D 

1 

1 

0 

1 

T  +  T 

C1  r 

„  E  m  E 

1 

1 

1 

0 

T  +  T 

C1 

m  E  m  E 

1 

1 

1 

1 

T  +  T 

C1  r 

223 


Then  the  duration  Tc,  for  example,  occur,  whenever  the  following  logical 
proposition  is  true  j 

X  -  c  DE^  +  C  D  E  E  +  C  D  E  F  +  CDEF 


But  this  may  he 


readily  simplified  hy  the  rules  of  Boolean  algebra  to  yield, 


=  D  E 


Drobability  that  X  is  true  is  given  by 


where  P. 


P[x]  =  (1  -  PD[?1)  (!  - 

7p\  iG  the  probability  of  failing  the  test  for  the  ith  subunit. 


Therefore,  the 

T  is 
c 


contribution  to  total  system  down  time  e[T,]  arising  from 


e[Tc!  =  (1  -  PDrFl)  (1  -  PslF])  Tc 

The  expected  system  down  time  td  is  the  sum  of  the  individual  contributions 
tc  expected  dovn  time  shown  in  Table  C-2. 


=  D  E  Tc  +  E(Tc  E  +  TrE)  +  D  E  (T^  +  Tr  )  +  D  E  F  Tr 


224 


I 


TABLE  C-II 


Contributions  to  Expected  System  Down  Timo 


Do:  .71  Time 
Duration 

Probability  of 
Occurance 

T 

c 

(1  -  pd[f]  (.1  -  pe[f]) 

T  £  +  T  J* 

C1  r 

I 

_  D  _  D 

T  +  T 

C1 

pd[f!  (i  -  pe[f]) 

m  F 

T 

r 

(1  -  Pd[f])  (1  -  Pe[F])  Pp[F] 

The  expected  status  delay  time  for  each  subunit  may  likewise  be  found  by 

returning  to  Table  C-I.  For  example,  consider  subunit  C.  The  delay  time 
C  ' 

T  which  occurs  when  C  has  a  go  checkout  is  derived  from  the  first 

r 

eight  entries  of  this  table  by  subtracting  the  C  go  checkout  duration  from 
the  total  system  down  times  as  shown  below  in  Table  C-ffl. 


I 


I 


225 


TABLE  C-III 


Logical  Table  for  Derivation  of  C  Status 
Delay  Time  for  a  C  go  Checkout 


0  0  0  !  0 

{ 

1 

F 

0  0  1  T 

r 


0  1  0  te+te-t 

C-  r  C 
]  1 


0  1  1  i  te+te-t 

c^  r  c 


Then} 

T  c  =  def(o)  +  d!ftf+e(t  e+te-t) 

x/  r  '^1  r  c ' 

+  D  E(T  D  +  T  °  -  T  ) 
c^  r  c 

In  this  case,  the  table  is  completely  symmetrical  so  that  for  a  no  go  on 
subunit  C, 

T  =  DEF(T  -T  C-T  °)  +  D  E  F  (T  +  TF-T  C-T  C) 
t?  c  c1  ^  C  r 

+  E(T  e+te-t  c  -  T  c)  +  d  e  (t  d+td-t  C  -  T  c) 
c«  r  c,  r.  c,  r 


226 


Similarly,  for  the  remaining  subsystems. 


T  D  =  ef(o)+eftf+e(t  e+te-t) 

v  4  x  r  c 

T  D  =  1  (0)  +  E  (T  E  +  T  E  -  T  D  -  T  D) 

r\  r  C-1  r 


T  E  =  df(o)  +  dftf+d(t  d+td-t) 

"i  r  cx  r  c 


Tr  “  =  0 
2 

T  F  =  de(o)  +  e(t  e+te-t)+de(t  c+td-t) 

x  1  x 

T  F  =  DE(0)+E(T  E+TE-T  -TF) 

C;L  i*  c  r  7 

/m  ^  ^  n  m  F  \ 


+  DE(T  +T  -T  -  I  ') 
C1  r  c  r 


Ihe  probabilities  associated  iftth  the  T„  ^  are  typically  illustrated  by 

T\  • 


Ld  ' 
ri 


-X,  D  T  F 
d  r 


P .  =  E  F  +  E  F  e 

a 

rl 


>  C  /_  E  __  E  m  \ 
-K  (T  +  T  -  T  ) 
d  c,  r  c 

s  1 


where 


E  =  Pe[F] 


E  =  1  -  E 


F  =  Pf[F] 
F  =  1  -  F 


227 


» 


APPENDIX  IV 
of 

EXAMPLE  B 

The  Detailed  Model  for  a 
Remove  and  Replace  Maintenance  Cycle 


1 


228 


INTRODUCTION 


It  was  tacitly  assumed,  in  the  treatment  given  in  the  example  of  this  memo¬ 
randum  that  the  total  down  time  in  repair  and  the  effectiveness  of  repair 
could  he  treated  in  a  limped  fashion.  This  view  is  most  useful  when  using 
gross  field  data.  During  Cat.  II,  however,  it  is  desirable  to  consider 
the  details  of  the  remove  and  replace  sequence  since  the  data  obtainable  is 
apt  to  be  somewhat  different.  We  consider,  then,  the  possibly  repetitive 
sequence  of  test  failure,  remove  and  replace,  recheck. 

DERIVATION 

Figure  D-l  illustrates  the  time  line  for  the  sequence  which  occurs  when  two 
remove  and  replace  actions  arise  as  a  result  of  entering  checkout  in  the  first 
place.  We  assume  the  some  basic  notation  used  previously  except  that  primes 
are  used  to  avoid  confusion. 

The  probability  of  failing  to  pass  the  checkout  on  the 
is  in  general  given  by  the  recursive  relation, 

Fn  =  K**!  +  *3')  jt1  "  0I)  -  U  -  3*  -  of) 

Fn  -  XF„-1  i  F1  4 

The  probability  of  being  good  and  passing  Pn[G  A  P]>  bad  detectable  and 
passing  Pn[B^  A  P],  or  bad  undetectable  and  passing  P^CB^  A  P]  on  the 
nth  checkout  is  given  by, 

PnC0  A  P] 

V>d  A  P] 

VBu  a  n 


•*l’  Fd 


(1  -  or’  )  P, 


(n  O)  (1  .  p  )Cl  »•  4  ^  9* 
C;L 

^  (1-0")  ^1.3 •  Pd'  (1  -  Pu<_  >j 


n-x 


(D-2) 


nth  attenj)t 


Pd  I*  *2  (1  "  p,):|Fn-l 
^  (D-l) 


229 


The  probability  of  failing  checkout  is  given  from  (D-l)  by 


n  =  1 


(D-4) 


0'  +  Pd  (1  -  -  0 

C1 


’)j  (•»!*  ♦  1*3 '  )  +  U2'  0' 


Hence,  c,  probabilities  of  exiting  repair;  given  that  repair  is  initiated, 
in  the  various  possible  states  are  from  (D-2),  (D-3),  and  (D-k). 


1*1  •  Pd  Pu 

_ c  '  c _ 

ll  "  f3’  +  Pd  (1  -  W  +  “3')  +  3’ 

(^'  +  u3*)  |0'  +  Pd  (1  -  -  3 !  )  -  Pd  (1  -  cr')j  +  u2'  3' 

'2  |3'  +  Pd  (1  -  «•  -  +  1*3’)  +  |»2*  3* 

(1  -  Pu  )  +  U3'J  Pd  (1  -  or') 

*3  “  0'  +  Pd  (1  -  a*  -  0*)]  (^’  +  +  j»2’  3* 

l  "I  J 


230 


The  expected  down  time  ic  given  by, 


CO 


where  P[P]  is  the  probability  of  entering  repair  and  X  is  the  probability 
of  re-entry  to  repair  as  defined  by  (D-l). 


231 


EXAMPLE  C 

RADAR  SURVEILLANCE  SYSTEM 


233 


TABLE  OF  CONTESTS 


Pa^e 

I.  INTRODUCTION  AND  SUMMARY .  237 

II.  EFFECTIVENESS  ESTIMATION . .  . .  238 

1.0  Mission  Definition . 238 

2.0  System  Description . ' . 238 

2.1  General  Configuration .  238 

2.2  Block  Diagram  .  . .  239 

2.3  Mission  Profile .  241 

2.4  Delineation  of  Mission  Outcome . .  .  241 

3.0  Specification  of  Figure  of  Merit .  241 

4.0  Identification  of  Accountable  Factors . '  .  241 

4.1  Identification  of  Data  Constraints  .  .  .  . . 245 

5.0  Model  Construction  .  246 

5.1  Delineation  of  System  States .  246 

5.2  System  Model .  248 

5.3  Availability .  249 

5.4  Dependability .  249 

5.5  Capability .  253 

6.0  Data  Acquisition  .  256 

6.1  Data  Sources  -  Reliability .  256 

6.2  Data  Sources  -  Maintainability .  257 

7.0  Parameter  Estimation  .  258 

7.1  Estimating  Basic  Equipment  Characteristics  .  258 

7.2  Determination  of  Availability .  260 

7.3  Determination  of  Dependability .  263 

7.4  Determination  of  Capability  .  264 

8.0  Model  Exercise  . . .  265 

8.1  Effectiveness  Evaluation  .  265 


6.2  Modified  System  Configuration  -  Acquisition  Phase  .  .  265 

8.3  Modified  System  Configuration  -  Operational  Phase  .  .  268 


234 


Page 

3.3.1  Availability  Determination  (Configuration  Ik  2)  270 

3.3.2  Capability  Determination  (Configuration  No.  2)  .  277 

8.3.3  Dependability  Determination  (Configuration  Ho.  2)277 

8.4  Analysis  of  Configuration  Ho.  2 . 280 


235 


ILLUSTRATIONS 


Figure  Page 

1  •  Block  Diagram,  System  Configuration  No.  1 . 240 

2  System  State  Diagrams  . 247 

3  Block  Diagram,  System  Configuration  No.  2  .  269 

4  System  State  Diagrams,  System  Configuration  No.  2 . 271 


'TABLES 

Table  Page 

I  Models  for  A^  -  System  Configuration  No.  1 . 250 

II  Mean  Times  Between  Failures  (tp)  and  Mean  P.epair  Times  (t^) 

for  Equipments . t  .  .  .  .  . . 261 

III  Availability  of  Individual  Equipment . .  262 

IV  Numerical  Values  of  A^^  . . 263 

V  Capability  for  System  Configuration  No.  1 . 264 

VI  Models  for  A1  -  System  Configuration  No.  2 . 275 

VII  Sub -Models  for  Evaluating  Terms  in  Equations  of  Table  VI  ...  276 

VIII  Numerical  Values  of  A^,  System  Configuration  No.  2 . 278 

IX  Numerical  Values  of  C^,  System  Configuration  No.  2 . 279 


236 


I.  INTRODUCTION  AND  SUMMARY 

In  this  example,  the  Effectiveness  of  a  radar  sur¬ 
veillance  and  threat  evaluation  system  is  determined. 

The  system  configuration  proposed  during  the  Program 
Definition  phase  is  analyzed  and  evaluated  in  accordance 
with  the  proposed  model, 

E  =  A*[Dj  C . 

The  example  discusses  in  detail  the  sub-models 
employed  in  determining  the  elements  of  each  vector  and 
matrix.  It  also  illustrates  procedures  by  which  the  num¬ 
ber  of  system  states  to  be  considered  may  be  minimized. 

Following  the  evaluation  of  the  first  system  config¬ 
uration,  another  is  proposed  which  is  intended  to  improve 
the  overall  effectiveness.  Since  the  changes  made  reflect 
only  the  use  of  redundancy  in  various  functions,  the  basic 
equipment  characteristics,  i.e.,  reliability,  maintain¬ 
ability,  are  not  changed.  The  sub-models  for  A,  [d]  ,  and  C, 
however,  are  modified  to  account  for  the  new  configuration, 
and  the  effectiveness  of  this  system  is  determined. 


237 


II.  EFFECTIVENESS  ESTIMATION 


1.0  Mission  Definition 

In  this  example,  the  stated  function  of  the  system  is 
to  provide,  'within  a  specified  time,  a  warning  of  an  enemy 
airborne  pre-emptive  attack.  Specifically,  the  system  shall 

a.  Detect  airborne  objects  in  the  surveillance 
sector  at  a  range  of  not  less  than  3000 
nautical  miles. 

b.  Identify  the  objects,  and  determine,  within 
30  minutes  whether  or  not  they  constitute  a 
threat. 

c.  Convey  results  of  classification  to  decision 
making  point. 

2.0  System  Description 

2.1  General  Configuration 

It  must  be  expected  that  the  system  configuration  will 
change  as  it  evolves  through  its  life  cycle.  There  will  be 
definite  hardware  changes  reflecting  updating  programs  and 
advances  in  the  state-of-the-art.  Even  the  original  concept 


238 


of  the  system  will  tend  to  change  in  response  to  changes 
in  the  world  geopolitical  climate.  In  this  example,  the 
following  system  is  postulated-  during  the  Program  Defini¬ 
tion  Phase.  It  is  referred  to  as  System  Configuration  No.  1 

a.  Three  radar  equipments,  each  of  which  shall 
provide  surveillance  of  a  specified  sector; 
switching  arrangements  will  permit  any  radar 
to  provide  surveillance  of  any  sector. 

b.  A  data  link  function  for  each  radar  equipment 

to  transfer  radar  data  to  a  computational  center. 

c.  A  computer  function  to  store  input  data  and  to 
predict  impact  areas  (the  single  computer  shall 
serve  all  radar  equipments). 

d.  Three  communication  functions,  each  of  which 
shall  convey  data  from  its  associated  radar 
to  its  data  processor. 

e.  Three  data  processors  and  three  displays  to 
present  data  from  associated  radar  to  decision 
maker . 

f.  Necessary  prime  power  to  support  each  of  the 
three  subsystems. 

2 . 2  Block  Diagram 

A  functional  block  diagram  representing  the  system 
described  above  is  shown  in  Figure  1. 


239 


f 


240 


FIGURE  1.  BLOCK  DIAGRAM  SYSTEM  CONFIGURATION  NO, 


2 . 3  Mission  Profile 


The  equipment  is  operated  continuously  until  failure. 

2.4  Delineation  of  Mission  Outcome 

In  the  example  cited,  each  of  the  three  radar  subsystems 
provides  surveillance  of  a  specified  sector.  As  noted  earlier, 
switching  makes  it  possible  for  any  radar  to  provide  surveil¬ 
lance  of  any  sector.  Assume  that  the  probability  that  an 
enemy  attack  will  come  from  each  sector  is  known  (or  can 
be  estimated).  It  is  apparent,  then,  that  even  if  one  or 
two  sectors  are  not  under  surveillance  because  of  failures 
in  the  radars,  for  example,  there  still  exists  a  probability — 
admittedly  reduced — that  the  required  warning  of  an  attack 
will  be  given.  In  order  to  account  for  such  possibilities, 
an  evaluation  of  the  capabilities  of  the  system  in  various 
system  states  must  be  made. 

3-0  Specification  of  Figure  of  Merit 

The  fundamental  figure  of  merit  for  this  system  will 
be  taken  as  "the  probability  that  the  system  will  provide 
a  30  minute  warning,  given  an  enemy  airborne  pre-emptive 
attack  at  a  random  point  in  time." 

4.0  Identification  of  Accountable  Factors 

The  potentially  important  factors  of  a  system  may  be 
quite  extensive.  However,  in  the  current  example  only  the 


241 


following  assumptions  concerning  major  subsystems  (i.e.. 

Radar  Unit  -'Antenna,  Receiver,  and  Transmitter;  Data  Link; 
Computer;  Communications;  Data  Processor;  Data  Display; 
Generator;  and  Power  Line)  are  made: 

a.  Operational  Conditions 

(1)  Climatic  Environment:  The  site  will  be 
located  in  an  Arctic  environment.  Conditions  in  all  equip¬ 
ment  spaces,  however,  will  be  maintained  at  normal  room 
environment . 

(2)  Atmospheric  Phenomena:  Aurora  -  System  shall 
be  capable  of  target  detection  in  presence  of  aurora 
borealis.  Wind  -  Wind  loading  up  to  100  mph.  Icing  -  Ice 
coating  up  to  2  inches  on  antennas. 

(3)  Enemy  Actions  and  Counter  Measures:  Equipment 
shall  have  provisions  for  selectable  tuning  change  to  pre¬ 
vent  jamming.  Provisions  shall  be  made  in  the  computer  for 
target  discrimination  from  decoys. 

(4)  Usage:  System  is  to  be  operated  continuously. 
No  operating  personnel  shall  be  required  at  the  antenna  site. 

b .  Mathematical  Assumptions 

Times  between  failures  are  exponentially  distributed. 


242 


c .  Maintenance  Concept 

(1)  General:  Adequate  maintenance  facilities  and 
personnel  shall  be  provided  so  that  any  r.equired  corrective 
action  can  be  accomplished  at  the  site. 

(2)  Personnel :  A  total  maintenance  force  of  ten 
men  shall  be  stationed  at  the  site.  Three  8-hour  shifts  per 
day  shall  be  maintained.  The  classifications  and  required 
skill  levels  are  shown  below. 


Rank/Rating 

Captain 

Specialty 

Number 

_L 

T-9 

Electronics 

i 

T-9 

Electrical 

i 

T-7 

Radar 

2 

T-5 

Radar 

4 

(3)  Test  Equipment  and  Tools:  All  test  equip¬ 
ment  and  tools  needed  to  permit  the  required  maintenance 
at  the  site  shall  be  provided.  Facilities  for  emergency 
repair  of  the  test  equipment  shall  be  provided. 

(4)  Spare  Parts  and  Components:  Adequate  spare 
parts  and  components  shall  be  provided  to  permit  independent 
operation  of  the  site  for  a  period  of  ten  weeks.  In  cases 
where  system  failure  is  corrected  by  replacement  of  units, 
repair  of  the  replaced  unit  shall  not  be  required  at  the  site. 


243 


d.  Capability  Factors 

The  definition  of  states  of  capability  must  account  for 
factors  which  define  the  performance  of  each  component  of 
the  system.  Examples  are  given  below: 

(1)  Radar 

Transmitter  power  output 
Frequency  stability 
Frequency  range 
Antenna  gain  (beam  width) 

Receiver  signai/noise  ratio 
Switching  times 
Anti- jamming  features 
Pulse  repetition  frequency 
Pulse  shape 

(2)  Computer 

Memory  capacity 
Computational  speed 
Programming  requirements 
Switching  times 
Input/output  formats 
Word  length 

(3)  Communications 

Transmitter  power  outputs 
Receiver  sensitivities 

(4)  Data  processors 

Input/output  format  requirements 

Memory  size 
Computational  speed 
Word  lengths 

(5)  Data  displays 

Type  of  presentation 

Visibility 

Readability 

Retentivity 

Ease  of  interpretation 


244 


(6)  Power  generation 

Capacity 

Regulation 

Voltage 

Frequency 

Efficiency 
Ease  of  switching 

(7)  Power  distribution 

Conductor  sizes 
Power  losses 
Protection  requirements 
Installation  requirements 
Insulation  requirements 

4. 1  Identification  of  Data  Constraints 

Model  construction  should  be  conducted  in  the  full  knowl¬ 
edge  of  the  constraints  which  may  be  imposed  by  data  avail¬ 
ability.  For  example 3  if  it  is  known  that  only  a  limited 
sample  of  life  tests  are  to  be  conducted,  the  effect  of  the 
small  sample  size  on  the  output  of  the  proposed  analyses 
should  be  investigated.  Or  again,  if  piece  part  data  is  the 
only  data  that  will  be  available  until  late  in  the  program, 
the  model  construction  must  reflect  this  fact.  In  the 
present  example,  vie  shall  assume  that  during  the  Program 
Definition  phase,  dependence  must  be  placed  on  generally 
accepted  prediction  procedures.  In  later  phases,  results 
of  tests  of  the  actual  hardware  subsystems  may  be  employed. 


245 


5.0  Model  Construction 


5.1  Delineation  of  System  States 

For  System  Configuration  No.  1  the  probabilities  of 
mission  success  under  various  conditions  must  be  described. 
If  all  combinations  of  success  and  failure  for  every 
individual  subsystem  are  considered,  the  number  of  possible 
system  states  is  extremely  high.  However,  by  considering 
collectively  all  of  the  subsystems  (except  for  the  com¬ 
puter)  in  each  surveillance  path,  an  appreciable  reduction 
in  the  number  of  significant  states  is  made.  A  further 
simplification  is  possible  if  all  states  in  which  no 
system  capability  exists  are  treated  collectively  as  a 
single  state.  Figure  2  illustrates  the  significant  states 
to  be  considered  in  evaluating  Configuration  1  under  these 
assumptions . 


246 


System  State  #4 


or 


NOTE: 

Letters  In  upper  portion  of  block  indicate  -,  equipment  or  _ 
equipments  of  interest;  number  in  lower  portion  of  block 
represents  condition  of  equipment  or  equipments.  "c" 
represents  computer;  "rH  represents  all  serial  equipments 
required  to  provide  surveillance  of  one  sector,  i.e., 
generator,  power  lines,  receiver,  transmitter,  data  link, 
communications,  data  processor  and  data  display.  "1" 
indicates  that  all  equipment(s)  in  the  block  are  operable. 
"0"  indicates  that  one  or  more  equipments  in  the  block 
has  failed. 


FIGURE  2.  SYSTEM  STATE  DIAGRAMS 


247 


5 . 2  System  Model 


For  this  system  evaluation,  the  basic  model  to  be 
employed  is: 

E  =  AD  C  (1) 

where 

E  =  probabj.lity  that  the  system  will  provide  a  30 
minute  warning,  given  an  enemy  airborne  pre¬ 
emptive  attack  at  any  random  point  in  time; 

A  =  availability  vector  :  A  is  its  transpose 

=  probability  that  at  any  random  point  in  time, 
the  system  will  be  in  state  i,  where  i  can  be 
any  integer  from  1  to  n,  inclusive,  n  =  number 
of  system  states  to  be  considered; 

j^D1  =  dependability  matrix 

=  probability  of  transition  from  system  state  i 
to  system  state  j  during  the  required  operating 
period  (0.5  hours),  given  state  i  at  the  begin¬ 
ning  of  this  period; 

C  =  capability  vector 

=  probability  that  the  system  can  successfully 
perform  the  required  functions,  given  that  the 
system  is  in  state  j  during  the  period  of  interest. 


248 


5-3  Availability 


The  element  of  the  availability  vector  A  is  a 

function  of  the  availabilities  of  the  various  equipments 

a..  Symbolically, 

J 

^i  =  ^[aiJ  a2J * ' ’ >  a j *  • ■ ■ »  ar]  ( ^ ) 

The  specific  functional  relationship  is  dependent  upon  the 
system  configuration  and  the  number  of  possible  system 
states . 


For  the  system  configuration  being  considered,  the 
models  for  A^  are  shown  in  Table  I • 

The  aj  are  computed  using  the  generally  accepted  expres¬ 
sion  for  the  availability  of  a  continuously  observed  system; 

ai  =  t,  Ad  (3) 

J 


where 


,th 


tf  =  mean  time  between  failures  for  the  j  sub- 
j  system. 

t ,  =  mean  down  time  for  the  j  subsystem. 

aj 


5.4  Dependability 


The  probability  of  transition  from  one  state  to  another 
during  the  actual  time  of  mission  performance  must  be 


249 


TABLE  I 


-  System  Configuration  No.  1 

(1  -  ar) 

A3  =  3acar  ^  "  ar)2 

a4  =  ac  (!  “  ar^  +  C1  _  ac) 

Where 

ac  =  probability  that  the  computer  is  operable 
(available) . 

a  =  probability  that  all  components  in  each 

sector  surveillance  and  display  subsystem 
(excepting  the  computer)  are  operable 
(available) . 

Note  that  Aj  +  Ag  +  +  A||  =  1.0,  indicating  that 

the  defined  states  represent  all  possible  states. 


Models  for  A^ 


A.  =  a  a  - 
1  c  r 


A^  =  3a  a 
2  J  c  r 


250 


accounted  for.  Use  of  matrix  notation  for  this  purpose 
facilitates  consideration  of  all  possible  state  transi¬ 
tions  .  - 


For  system  Configuration  No.  1,  it  will  be  recalled 
that  there  are  four  possible  system  states.  If  during  the 
mission,  transition  were  possible  from  any  one  state  to 
any  other,  l6  possible  results  would  exist,  including  4 
situations  in  which  no  transition  occurs,  viz.:  « 


In  the  actual  matrix  to  be  employed,  the  probability 
of  each  indicated  transition  occuring  will  be  entered.  For 
example,  the  D11  element  will  be  the  reliability  figure 
which  is  the  one  normally  discussed  in  simple  reliability 
analyses;  i.e.,  the  probability  of  no  failure  during  the 
mission,  given  that  the  system  was  completely  within  specifi¬ 
cation  at  time  zero. 


In  this  example,  maintenance  is  assumed  to  be  ineffec¬ 
tive  during  the  actual  mission;  therefore,  no  transition 
from  a  lower  to  a  higher  state  will  be  possible,  and  each 


251 


element  below  the  diagonal  line  will  be  zero.  The  remain¬ 
ing  elements  in  the  matrix  are  evaluated  by  use  of  the 
following  equations: 


E12  -  3Vr2(l  -  Rr> 
d13  =  3RcRr  (1  -  Rr)2 

d14  =  V1  -  Rr>3  +  t1  -  Rc> 


(5) 

d23  -  SW1  '  Rr) 

d24  =  Rc  t1  -  Rr>2  +  (1  -  R0)  =  1  -  RcRr(2  -  Rr) 


D34  -  Rc  (1  -  Rr)  +  (1  -  Rc) 
d44  =  1 


where 

Rc  =  computer  reliability 

R  =  reliability  of  all  other  equipments  in  each 
sector  surveillance  and  display  subsystem. 


252  - 


In  some  situations,  it  is  possible  that  the  mission 
reliability  need  not  be  evaluated.  This  might  be  the  case, 
for  example,  if  the  actual  length  of  the  mission  is  very 
short  compared  to  the  mean  times  between  failures  for  the 
systems.  In  such  cases,  each  element  of  the  main  diagonal 
approaches  unity  while  all  others  approach  zero.  If  this 
approximation  is  acceptable,  the  "identity  matrix"  can  be 
employed  and  will  considerably  simplify  computations.  In 
essence,  this  permits  the  mission  reliability  factor  to  be 
represented  by  unit.  This  approach  will  be  illustrated  in 
a  later  example  for  a  different  system  configuration. 

5 . 5  Capability 

Although  a  system  may  be  available  and  functioning  as 
designed  during  the  mission,  the  system  can  still  fail  to 
accomplish  its  design  purpose  due  to  a  variety  of  factors. 
In  the  case  of  a  surveillance  sysoem  such  factors  would 
include : 

(1)  Signal  masking  due  to  background  thermal  noise. 

(2)  Range  and  doppler  velocity  limitations  due  to 
radar  pulse  repetition  rate. 

(3)  Angle  discrimination  due  to  finite  antenna 
beam  width. 


253 


These  factors  are  conveniently  lumped  together  in  a 
vector  which  is  called  the  "design  capability"  factor  of 
the  effectiveness  equation.  In  the  present  illustration, 
a  simplified  example  will  be  used  to  show  how  this  calcula¬ 
tion  is  undertaken.  Specifically,  we  shall  consider  the 
effect  of  background  thermal  noise  on  the  ability  of  a 
radar  to  detect  and  accurately  track  a  potential  threat. 


The  distribution  of  the  amplitude  in  volts  (E  )  of 
the  system  noise  is  Gaussian  so  that  the  probability 
density  of  noise  amplitude  is  given  by: 


n 


.-r 


n 


E  2 

;  -~<En<+~ 

n 


(6) 


The  density  distribution  of  noise  power  is  obtained 

by  recognizing  that  noise  power  (P  )  is  proportional  to 

the  square  of  noise  voltage  (E  )  and  then  applying  a  trans- 

n 

formation  of  variable  to  -(6).  That  is: 


P 


n 


(7) 


1 

2 


And 

p  E  dE 
..  n_  n 


dP 


(8) 


i 


1 


* 


254 


With  attention  to  the  change  of  limits  on  (6); 


0  <  P  <  +  ^> 

-  n  - 

Thus 


p  1 
t  n  j 


(9) 


(10) 


The  signal  power  (S)  returned  from  a  potential  threat  is 
given  by: 

s  (ii) 

r 

Where 

r  =  radial  distance  to  threat, 

J  =  reflectivity  of  threat,  and 
C  =  function  of  antenna  gain,  transmitter  power. 


In  general,  the  time  which  it  takes  to  perform  the 
threat  evaluation  will  depend  upon  the  ratio* S/P  ,  shorter 
evaluation  times  being  associated  with  larger  values  of  this 
ratio  since  this  reduces  the  required  signal  tracking  and 
smoothing  times. 

There  will  be  some  value  £  below  which  there  is  a 
vanishingly  small  probability  of  threat  evaluation  within 
the  prescribed  time;  thus  the  probability  of  detecting  a 
threat  is  given  by 


s/-  -  - 

F,  =  /  p  P  dP 

d  J  0  r  •  n  j  n 


(12) 


255 


Therefore  the  probability  of  detection  becomes 

a  CJ 


pd  =  1  -  e  2  n 


a _ (S/  ■-  ) 

"  2  - 


1  -  e"  2 — 5  T" 


(13) 


n 


Each  system  state  i  will  have  a  particular  value  of  P,  . 

al 


In  addition,  there  will  be  other  performance  factors 
as  listed  in  paragraph  4.1.d  above,  associated  with  each 
system  state  which  will  influence  the  probability  of  detec¬ 
tion  and  track.  Thus,  in  general,  we  can  write  a  capability 
vector. 


C 


(14) 


where 


V  Kipd. 


6 . 0  Data  Acquisition 

6.1  Data  Sources  -  Reliability 

In  the  program  definition  phase,  data  is  generally  not 
available  from  actual  tests  of  the  system  under  consideration. 
In  this  case,  use  is  usually  made  of  available  generic  data 
sources.  A  tabluation  of  reports  and  papers  which  treat 


256 


reliability  prediction  is  included  in  the  section  of  this 
document  entitled  "Data  Sources". 

Determination  of  failure  rates  for  given  stress  con¬ 
ditions  are  included  in  some  of  the  data  sources.  In 
employing  these  data,  care  must  be  taken  to  utilize  only 
those  data  sources  which  closely  duplicate  the  expected 
environment  of  the  system  under  development.  Wherever 
such  data  is  unobtainable,  available  data  must  be  modified 
by  appropriate  proportional  stress  factors. 

In  later  development  phases,  reliability  data  is 
often  available  from  contractor  tests.  During  the  early 
acquisition  phase,  such  data  obtained  from,  the  contractors 
bench  tests  may  be  used  to  supplement  generic  failure  rate 
information.  During  the  operational  phase  additional  data 
may  be  obtained  from  standard  Air  Force  reporting  forms. 

6.2  Data  Sources  -  Maintainability 

Some  predictive  models  exist  for  estimating  mean-down 
times  (or  components  thereof).  Three  examples  of  snob 
models  are  presented  for  specific  operational  conditions 
in  the  documents  referenced  below: 


257 


Airborne  Systems 


Ground  Systems 


Shipboard  Systems 


"Maintainability  Prediction: 
Theoretical  Basis  and  Practical 
Approach"  (Revised) 

ARINC  Research  Corporation 

"RADC-TDR-63-85,  Yol.  II  - 
Maintainability  Engineering" 
Radio  Corporation  of  America 
RCA  Service  Company 

"A  Maintainability  Prediction 
Procedure  for  Designers  of 
Shipboard  Electronic  Equipment 
and  Systems" 

Federal  Electric  Corporation 


In  general,  these  procedures  concentrate  on  the  pre¬ 
dictions  of  "active  repair  time."  This  is  defined  as  the 
length  of  time  required  to  complete  the  repair,  given  that 
one  or  more  technician  is  actively  engaged  in  repairing 
the  equipment.  The  procedures  consider  such  factors  as 
system  construction,  accessibility,  diagnostic  devices  and 
test  equipment  availability.  The  treatments  accorded  such 
other  factors  as  administrative  delays,  skill  level  of 
maintenance  personnel,  availability  of  spares,  and  queuing 
resulting  from  an  insufficient  number  of  maintenance  per¬ 
sonnel  vary  considerably. 


7 . 0  Parameter  Estimation 

7.1  Estimating  Basic  Equipment  Characteristics 

Depending  upon  the  program  phase,  the  estimation  pro¬ 
cedures  used  to  determine  t^  -will  vary  appreciably.  In 
the  operational  phase,  for  example,  the  value  of  tf  might 


258 


be  computed  from  field  data  by 


where 

t  -=~total  observed  operating  times 
f  =  total  observed  number  of  failures. 


(15) 


In  earlier  phases ,  as  noted  earlier,  the  value  of  t^ 
might  be  synthesized  from  generic  failure  rates  on  individual 
parts  or  components  comprising  the  system.  For  a  single 
equipment  involving  no  redundancy  in  which  it  may  be 
assumed  that  all  parts  or  components  exhibit  constant  fail¬ 
ure  rates,  tf  would  then  be  given  by: 


1 

'f  ■  Tn~r 

'  Ai 
1=1 

Where 

^  =  failure  rate  of  the  l  component 
n  =  number  of  components  in  the  equipment. 

As  m  bne  case  of  the  down  time  models  w-n  1  differ 

in  various  program  phases.  Again,  in  the  operational  phase. 


259 


f 


might  be  calculated  from  field  data: 


where 


(17) 


=  total  time  during  which  equipment  was  down  (not 
operable)  during  a  specified  period. 

n  =  number  of  separate  maintenance  acL  ioiio  during 
the  specified  period. 


In  earlier  phases,  predictions  based  upon  system  con¬ 
figuration  and  the  support  situation  will  be  necessary. 


Because  of  the  complexities  involved  in  estimating 
tf  and  t^,  it  is  not  reasonable  to  explore  the  details  of 
the  procedures  in  this  example.  It  is  assumed,  therefore, 
that  through  the  use  of  appropriate  techniques,  the  numerical 
values  shown  in  Table  II  were  developed. 


Determination  of  Availability 


The  availability  of  each  subsystem  is  determined  from 
Equation  3  utilizing  the  data  of  Table  II.  The  results  are 
shown  in  Table  III. 


260 


t 


TABLE  II 


Mean-Times -Between-Failures  (t^) 
and  Mean  Repair  Times  (t  )  for  Equipments 


II 

Equipment 

,  tf 
(hours) 

tr 

(hours ) 

Power  Lines 

26,280 

24.0 

Generator 

17,520 

22.0 

Transmitter 

800 

1.0 

Receiver  and  DTO 

2,000 

0.5 

Data  Link 

43,800 

1.0 

Computer 

250 

1.0 

Communication 

4,000 

0.5 

Data  Processor 

4,000 

0.5 

Data  Display 

4,000 

0.5 

TABLE  HI 

Availability  of  Individual  Equipment 


Equipment  s 

ad 

Power  Lines 

. 999087 

Generator 

.  998745 

Transmitter 

.  998751 

Receiver  and  DTO 

•  999750 

Data  Link 

. 999977 

Computer 

.996016 

Communication 

.999875 

Data  Processor 

.999875 

Data  Display 

.999875 

where 

v_ 

t„  =  mean  time  between  failures  for  the  j  subsystem 

4* 

t  =  mean  time  to  repair  for  the  j  subsystem 


262 


4- 


The  probability  of  being  in  any  system  state  at  a 
random  point  in  time  is  given  by  utilizing  the  results  of 
Table  III  in  the  Equations  of  Table  1.  The  components  of  the 
availability  vector  are  therefore,  the  values  listed  in 
Table  IV. 

TABLE  IV 

Numerical  Values  of  A. 

_  i 

System  Configuration  No.  1 
A1  =  .983934 
a2  =  .012033 
a3  =  .000049 

A4  .003985 

7 ■ 3  Determination  of  Dependability 

Use  of  the  same  input  data  employed  in  the  availability 
analysis,  e.g.,  values  of  failure  rates,  permits  determina¬ 
tion  of  numerical  values  for  each  element  of  the  depend¬ 
ability  matrix  utilizing  equations  5  and  the  data  of 
Table  II,  we  have  for  system  configuration  No.  1: 


263 


0.99^088 

0 

0 

o 


0.003909 

0.995391 

o 

0 


0.000005 

0.002609 

0.996696 

0 


0.001998 

0.001999 

0.003304 

l 


(18) 


7.4  Determination  of  Capability 

We  shall  assume  that  the  possibilities  of  an  attack 
emanating  from  a  particular  sector*  coupled  •with  the  systems 
abilities  in  various  conditions  led  to  the  assignment  of 
the  state  capabilities  shown  in  Table  V. 


TABLE  V 

Capability  for  System  Configuration  No.  1 

State 

Number 

Capability 

1 

IP 

2 

0.75P 

3 

0.35P 

4 

OP 

In  these  tables*  P  is  the  capability*  i.e.,  the  prob¬ 
ability  of  successful  mission  performance,  when  the  system 
is  fully  within  specification. 


The  probability  is  assumed  to  be  given  by  evaluating 
Equation  (l4)  in  conjunction  with  the  other  significant  per¬ 
formance  factors  of  each  system  state. 


264 


In  the  present  example,  it  is  simply  assumed  that  this 
has  been  done  for  each  partial  system  failure  delineated 
by  the  block  diagram  of  Figure  2.  Each  leg  of  this  block 
diagram  is,  then,  a  specifically  accountable  system  state. 
The  numerical  values  are  assumed  to  be  for  each  of  the 
four  system  states: 

c1  =  P  =0.998 
CQ  =  C.75P  =  0.749 

(19) 

C3  =  0.35P  =  0.349 

=  OP  =  0.000 

8.0  Model  Exercise 

8.1  Effectiveness  Evaluation 

At  this  point,  we  are  in  a  position  to  evaluate  the 
expression 

E  =  Ad' C 

L  1 

For  System  Configuration  No.  1,  the  multiplication  of  the 
three  terms  yields  an  Effectiveness  of  O.988O. 


Modified  System  Configuration 
Acquisition  Phase 


Analysis  of  the  results  obtained  from  evaluation  of 
System  Configuration  No.  1  during  the  Definition  phase 
suggested  several  modes  for  improving  effectiveness.  The 


265 


analysis  indicated  that  the  Computer  was  the  greatest 
single  adverse  factor  influencing  Effectiveness.  Consider¬ 
ing  redundancy  in  this  function  and  other  changes  noted  in 
the  following  system  definition  indicated  a  probable  increase 
in  effectiveness  from  the  value  of  0.9880  estimated  for 
Configuration  No.  1  to  O.S^kO,  showing  the  positive  effects 
of  redundancy.  At  this  stage  (Acquisition  Phase),  the  system 
is  defined  to  be: 

(1)  Three  radar  equipments,  each  of  which  shall 
provide  surveillance  of  a  selected  sector.  • 

Three  antennas  are  to  be  provided,  which  are 
to  be  switchable  among  radars.  Each  radar 
shall  provide  detection  capability  at  the 
3000  nautical  range. 

(2)  'Two  data  link  subsystems,  each  of  which  shall 
be  completely  capable  of  handling  all  radar 
data. 

(3)  Two  storage  and  computing  subsystems  each  of 
which  shall  be  completely  capable  of  storing 
all  input  data  and  predicting  impact  area. 

(4)  Two  communication  subsystems  each  of  which 
shall  be  completely  capable  of  conveying  all 
necessary  data  to  the  decision  point. 

(5)  Two  data  processor  and  display  subsystems, 
each  of  which  shall  be  completely  capable  of 
processing  and  displaying  all  required  data. 

(6)  Four  independent  power  generating  devices. 

Any  pair  of  which,  when  operating  at  full 
capacity,  shall  be  capable  of  supplying  the 
total  power  requirement.  In  normal  operations, 
three  generators  shall  be  on-line,  each  oper¬ 
ating  at  two-thirds  of  full  load  capability. 


(7)  Power  lines  capable  of  transferring  power 

with  no  more  than  0.5$  power  loss  at  maximum 
load. 


Similar  analyses  during  the  Acquisition  Phase  coupled 
with  more  definite  information  on  reliability,  the  diffi¬ 
culties  inherent  in  the  logistic  support  problem,  and  the 
importance  of  target  threat  evaluation  led  to  further 
changes.  The  system  in  the  operational  phase  (System  Con¬ 
figuration  No.  2)  consists  of: 

(1)  Three  radar  equipments,  each  of  which  shall 
provide  surveillance  of  a  selected  sector. 

Any  of  the  radar  equipments  shall  be  capable 
of  operating  with  any  of  the  three  antennas. 
Switching  shall  be  possible  in  less  than  three 
minutes  for  the  transmitters  and  in  less  than 
1.5  minutes  for  the  receivers;  a  spare  trans¬ 
mitter  shall  be  provided  which  can  be  switched 
into  any  of  the  three  equipments  in  less  than 
three  minutes . 

(2)  Two  data  link  subsystems,  each  of  which  shall 
be  completely  capable  of  handling  all  radar 
data . 

(3)  Two  storage  and  computing  subsystems  each  of 
which  shall  be  completely  capable  of  storing 
all  input  data  and  predicting  impact  area. 

(4)  Three  communications  subsystems,  any  one  of 
which  shall  be  completely  capable  of  convey¬ 
ing  all  necessary  data  to  the  decision  point. 

(5)  Two  data  processor  subsystems,  either  of  which 
shall  be  completely  capable  of  processing  all 
required  data. 

Three  data  display  subsystems,  any  one  of  which 
shall  be  completely  capable  of  displaying  all 
required  data. 


267 


(6)  Six  independent  power  generating  devices, 
any  four  of  which,  when  operating  at  full 
capacity,  shall  be  capable  of  supplying  the 
total  power  requirement.  In  normal  opera¬ 
tions,  five  generators  shall  be  On-line, 
each  operating  at  Q0%  of  full  load  capacity. 
Power  lines  capable  of  transferring  power 
with  no  more  than  0.5%  power  loss  at  maximum 
load. 


8 . 3  Modified  System  Configuration  - 
Operational  Phase 


The  operational  configuration  defined  above  is  now 
evaluated  following  the  same  procedures  used  in  evaluating 
configuration  1.  Figure  3  presents  the  functional  block 
diagram  for  system  configuration  2. 

The  complexity  of  the  system  has  now  been  increased  by 
the  redundant  equipments.  If  all  combinations  of  success 
and  failure  for  every  equipment  in  System  Configuration 
No.  2  are  considered,  the  number  of  possible  system  states 

Q 

is  approximately  10  .  For  this  example--and  in  general-- 
however,  consideration  of  the  system's  capabilities  for 
various  combinations  of  subsystem  failures  permits  an 
appreciable  reduction  in  the  number  of  significant  states. 

As  an  example,  consider  System  Configuration  No.  2  when  only 
one  transmitter  is  operable.  The  system  capability  is  no 
different  in  this  case  whether  one,  two,  or  three  receivers 
are  operable,  since  only  one  can  be  employed.  Therefore, 


268 


269 


only  two  states  of  receiver  operation  need  be  considered, 
viz.,  none  operable  and  one  or  more  operable.  This  assumes, 
of  course,  that  the  time  to  return  the  system  to  alert  does 
not  depend  upon  the  number  of  failed  subsystems.  This  may 
be  a  bad  assumption. 

A  further  simplification  is  possible  if  all  states  in 
which  no  system  capability  exists  are  treated  collectively 
as  a  single  state. 

Figure  4  illustrates  the  significant  states  to  be  con¬ 
sidered  in  evaluating  this  system  under  these  assumptions. 

8.3.I  Availability  Determination 
(Configuration  No.  2) 

The  first  step  in  this  evaluation  is  the  determination 
of  the  sta.te  availabilities  (A^'s).  The  model  for  each 
state  is  developed  by  considering  the  equipment  states. 
Whether  the  system  is  in  a  particular  state  depends  upon 
the  number  of  equipments  in  each  of  the  subsystems  which 
are  operable  or  failed.  For  system  configuration  No.  2 
to  be  in  state  10,  for  example,  exactly  three  generators; 
two  transmitters;  two  or  three  receivers;  one  or  two  data 
.Links;  one  or  two  computers;  one,  two,  or  three  communication 
sets;  one  or  two  data  processors;  one,  two,  or  three  data 


270 


I 


W 

oi 

D 

O 

n 


271 


SYSTEM  STATE  DIAGRAMS  SYSTEM  CONFIGURATION  NO 


fsj 


272 


Notes:  1.  Circled  numbers  are  Systems  State  Numbers. 

2.  Lower  portion  of  i;ach  subsystem  block  Indicates 

the  number  of  each  subsystem  which  Is  functioning. 

FIGURE  4.  (Continued)  SYSTEM  STATE  DIAGRAMS  SYSTEM  CONFIGURATION  NO. 


displays;  and  the  power  lines  must  be  operable.  If  any 
one  of  the  conditions  is  not  met,  the  system  will  be  in 
a  different  state. 


Thus,  the  equation  which  expresses  the  probability  of 
being  in  state  10  is 


where 


=  probability  that  3  generators  will  be 
operable  (available) 

=  probability  that  2  transmitters  will  be 
operable  (available) 

=  probability  that  either  3  or  2  receivers 
will  be  operable 


a„  =  probability  that  1  or  2  data  links;  1  or 

2  computers;  1,  2,  or  3  communication  sets; 
1  or  2  data  processors;  1,  2,  or  3  data 
displays;  and  the  power  lines  will  be 
operable  (available) 


A  similar  analysis  for  each  state  leads  to  the  models 
shown  in  Table  VI. 


The  sub-models  for  evaluating  the  terms  in  the  right 
hand  side  of  the  equations  in  Table  VI  are  shown  in  Table  VII; 
as  are  the  numerical  results  obtained  when  the  equipment 
availabilities  from  Table  III  are  introduced. 


TABLE  VI 


Models  for  -  System  Configuration  No.  2 


a0aG 


(4,5),  (4,3),  (3) 


A9  =  a0aG  aT 


(3),  (4,3),  (1) 


a0aG 


(4,5),  (4,3),  (2) 


A  -  a  a  (3)a  (2)a  (3>2) 

A10~  0  G  T  R 


ana^ 
U  u- 


(4,5)a  (4,3)a  (1) 


A  =  a  a  (3)a  (2)a  (X) 
11  0  G  T  aR 


a  a  (4*5)a  (2)a  (3,2) 
a0aG  aT  aR 


A12=  (1)  (3.8.1) 


a  a  G,5)a  (2 )  (1) 

a0  G  T  R 


A13  a0aG  aT 


(2),  (4,3,2)  (3,2) 


i  a  (4’5)a  (1)a  (3*2*1- 
l0aG  aT  aR 


A  ,  -  a  51  (2)a  (^>3,2)a  (1) 
14“  aCTG  T  aR 


^  -  a  a  (3)a  (4’3)a  (3) 

V7  “  0  G  T  R 


A  -  a  a  (2)a  (1)a  (3,2,1) 
15  0  G  T  R 


A8  -  a0aG  'aT 


(3)„  (4,3)„  (2) 


a  a  a  (La  (4’3,2,l)a  (3,2.1) 
Al6'  0aG  T  R 


A17  1 


T.  h 


where  a  denotes  availability;  a&  -  generator;  a^  -  transmitter; 
a^  -  receiver;  and  a^  -  power,  data  link,  computer, 
communications,  data  processor,  and  data  display. 

Superscripts  indicate  number  of  equipments  of  this  type  which 
must  be  operable.  Example: 

a&(^,3)=  probability  that' exactly  4  or  5  generators 
are  operable  (available). 


275 


TABLE  VII 


Sub-Models  for  Evaluating  Terms  in  Equations  of  Table  VI 


GENERATOR 


aG^=aG5=0‘9937i;i 

aG(2^=10a(}2(l-aG)3=1.97  x  10“8 

aG^^=5aQ2|(l-aG)=0. 006244 

aG^^=5aG(l-aG)4=l .24  x  10 

aG^3^10aG3(l-aG)2=1.57xl0-5 

aG'4,5^aG^5^+aG^^=°-999984 

TRANSMITTER 

aT(4)=(aT)4=0. 995013 

aT(4'3)=aT'4')+aT(3)=0-999"1 

aT(3)=4(aT)3(l-aT)-0. 004977 

ap(4j3,2 )=aT^ 4,3 ^+aT^2^-0. 999993 

aT^2^6(aT)2(l-aT)2=9.34xl0“6 

alj(4j3,2jl)=aT(4j3,2)+aT(1)=0. 999993+ 

aT(1)=4aT(l-&T)3=7.78xlO'9 

RECEIVER 

aR^3)=aR3-0.999250 

aR^3^2)-ap^3)+aR(2)=0. 9999996 

aR  ^ 2  ^ =3aR2 ( 1 - aR ) =7 . 50x10 '4 

aR^3,2"1^=aR^3,2^+aR^1^=0, 9999998 

aR(1^3aR(l“aR)2=1-87x10"7 

REST 

OF  SYSTEM 

a.0  =  [  [l-(l-ac)2j  ll-fl-a^)3!  [l-(l-ap)^ 

{l-(l-as)3J  aL  =  0.999071 


where  a^  denotes  data  link;  ac  -  computer;  aCQ  -  communications; 
ap  -  data  processor;  a<,  -  display;  and  a^  -  power  lines. 


276 


The  probability  of  being  in  any  system  state  at  a 
random  point  in  time  is  given  by  utilizing  the  results 
of  TableVIIin  the  equations  of  Table  'VI.  The  components 
of  the  availability  vector  are  then  listed  in  Table  VIII. 

8.3.2  Capability  Determination 
(Configuration~No.  2) 

The  assignment  of  the  state  capabilities  for  config¬ 
uration  2  followed  the  same  assumptions  as  those  made  for 
Configuration  1,  and  are  shown  in  Table  IX. 

8.3.3  Dependability  Determination 
(Configuration  No.  27 

As  noted  in  the  discussion  of  the  dependability 
matrix  for  Configuration  1,  the  elements  of  the  main 
diagonal  approach  unity  while  all  others  approach  zero 
if  the  actual  length  of  the  mission  is  short  compared  to 
the  mean  times  between  failures  for  the  systems.  To  provide 
an  indication  of  the  effect  of  approximating  the  Depend¬ 
ability  Matrix  with  the  identity  matrix,  the  effectiveness 
of  configuration  2  was  first  estimated  using  the  depend¬ 
ability  matrix  [d]  equal  to  the  identity  matrix  ,1  .  A 
value  of  E  =  0.9970  was  obtained.  A  second  estimate  was 

r 

made  using  the  matrix  D  made  up  of  its  elements  which 


277 


f 


TABLE  VHI 

Numerical  Values  of 
System  Configuration  No.  2 


A1  " 
A2 

A3  = 
A4  " 

A5  = 


a6  = 


0.998297 
0.749  x  10“3 
0.187  x  10"6 
0.933  x  10"5 
0.175  x  10 
0.776  x  10 


A7 


=  0.157  x  10 


-11 

-8 

-4 


a8  “ 

A9  = 
A10= 
All= 


0.118  x  10"' 
0.294  x  10"11 
0.146  x  10"9 
0.274  x  IO"16 


Alg=  0.122  x  10 
A,„=  0.197  x  10 


-12 


13 
A±h= 

A15= 

ai6= 


-7 

n-14 


0.369  x  10' 
0.153  x  10"15 
0.124  x  10"10 


a17=  .00093 


278 


TABLE  IX 


Numerical  Values  of 
System  Configuration  No.  2 


-1  _ 
"1  " 

P  = 

0.998 

H  _ 

"2  ~ 

•  95P  = 

0.948 

C3  ■ 

•  35P  = 

0.349 

c4  ’ 

•  75P  = 

0.7^9 

C5  - 

•  35P  = 

0.349 

°6  ' 

•  33P  = 

0.349 

c7  ‘ 

•  90P  = 

0.898 

c8  ' 

•  75P  = 

0.749 

°9  ■ 

•  35P  = 

0.349 

cio“ 

.75P  = 

0.749 

cll= 

•  35P  = 

0.349 

C12= 

•  35P  = 

0.349 

C13= 

.65P  = 

0.649 

cl4= 

•  35P  = 

;  0.349 

C15= 

•  35P  = 

:  0.349 

C16= 

.25?  = 

:  0.249. 

279 


were  significantly  different  from  zero.  The  value  obtained 
in  this  case  was  E  =  0.99696  which  is  equivalent  to  the 
value  of  0.9970  obtained  in  the  estimate  using  the  matrix  I 

8.4  Analysis  of  Configuration  No.  2 
In  analyzing  Configuration  No.  2  for  "bottlenecks"  such 
as  the  single  computer  of  Configuration  No.  1,  it  appears 
that  including  a  switchable  spare  receiver  in  addition  to  the 
switchable  spare  transmitter  might  substantially  increase 
effectiveness.  However,  when  the  model  was  exerc.is  J.  with 
this  additional  change,  the  effectiveness  was  only  increased 
to  0.99707  (equivalent  to  O.9971)  an  approximate  increase  of 
0.0001.  This  improvement  was  not  felt  to  warrant  the  expense 
involved  in  making  the  modification,  and  Configuration  No.  2 
was  selected  as  the  operational  model. 


EXAMPLE  D 

SPACECRAFT  SYSTEM  DEPENDABILITY 


281 


TABLE  OF  CONTENTS 


Page 

I.  INTRODUCTION  AND  SUMMARY . .  , . 285 

II.  DEPENDABILITY  EVALUATION  .  286 

1.0  Mission  Definition . .  .  286 

2.0  System  Description . 286 

2.1  General  Configuration . 286 

2.2  System  Block  Diagram . 287 

2.3  Mission  Profile . 289 

2.4  Delineation  of  Mission  Outcomes . 289 

3.0  Specification  of  Figure  of  Merit  .  . . 292 

4.0  Identification  of  Accountable  Factors  .  292 

4.1  Time -Be tween-FailUres  Distributions  .  292 

4.2  Stresses . 292 

4.3  Maintenance  Policy  .  293 

5.0  Model  Construction . 293 

5.1  Delineation  of  System  States . 293 

5.2  Operational  Considerations  and  Equipment  Usage  ...  294 

5.3  System  Model . 298 

6.0  Data  Acquisition  . 301 

6.1  Propulsion  System  Data . 301 

6.2  Forward  Section  Data . 303 

6.3  Ordnance  Section  .  306 

6.4  Structure  . . 306 

6.5  Environmental  Stresses  .  306 

7-0  Parameter  Estimation  .  311 

7.1  Propulsion  System  .  311 

7.2  Forward  Section . 316 

7.3  Ordnance  Items . 323 

7.4  Structure . 324 


282 


Page 

8.0  Model  Exercise . 336 

9.0  Additional  Comments  -  Structural  Reliability  .  338 

9.1  Extreme  Value  Approach  to  Evaluation  of  Structure  .  .  339 

9.2  Practical  Considerations  .  345 

BIBLIOGRAPHY . 350 


283 


ILLUSTRATIONS 


Figure  Page 

1  Block  Diagram  of  Spacecraft . 288 

2  Sequence  of  Events . 290 

3  Strain  Yersu.s  Pressure,  Helium  Tank . 327 

k  Proof  Test  Strain  Maxima,  Gage  No.  3 . 331 

5  Ultimate  Strength  as  a  Function  of  — . 341 

6  A  Family  of  £  (x)  Curves . . . 342 

7  Preliminary  Analysis  of  Burst  Test  Data . 347 


TABLES 

Table 

I  Atypical  In-Flight  Events  .  291 

II  Propulsion  Components  Not  Essential  to  Acceptable  Flight  ...  295 

III  Electronic  Assemblies  (Forward  Section)  Not  Essential 

to  Acceptable  Flight . 296 

IV  Spacecraft  Environments  and  Durations  .  297 

V  Failure  Rate  of  Propulsion  System  Components  (Based  on 

Failures  in  J.'C’md  Tests) . 304 

VI  Aerospace  Corporation  Generic  Failure  Rates  and 

Martin  Corporation  Generic  Failure  Rates  .  305 

VII  Stress  (k)  Factors  Applied  to  Failure 

Rates  From  Various  Sources . 309 

VITI  Failure  Rates  -  All  Components  of  the  AJlO-lOh 

Propulsion  System . 1312 

IX  Failure  Rates  -  Propulsion  Components  Not  Essential 

For  Acceptable  Flight . 315 

X  Electronic  Assemblies  Necessary  for  Perfect  Flight  .  317 

XI  Electronic  Assemblies  Necessary  xor  Acceptable  Flight  .  319 

XII  Range  Safety  System  Assemblies  . . 321 

XIII  AJ10-104  Helium  Sphere  (JC?)  Calculation  of  Stress  .  326 

XIV  Eight  Proof  Tests,  Helium  Tank  . . 329 

XV  Calculated  Reliability  Data,  Tank  .  . . .  .  .  330 

XVI  Transition  Stringer  .  333 

XVII  Ordered  Strain  Readings  .....  .  348 


284 


EXAMPLE  D 


SPACECRAFT  SYSTEM  DEPENDABILITY 

1.  INTRODUCTION  AND  SUMMARY 

In  this  example,  attention  will  be  focused  on  the  predic¬ 
tion  of  the  Dependability  characteristics  of  a  Spacecraft  System. 
This  example  is  included  in  order  to  provide  a  more  detailed 
analysis  in  the  area  of  reliability  prediction  than  was  generally 
presented  in  the  previous  examples.  Again,  the  procedure  demon¬ 
strated  here  should  not  be  interpreted  as  constituting  a  standard 
technique.  Rather,  the  example  illustrates  the  criteria  involved 
in  selecting  a  predictive  approach  and  the  exercise  of  the  tech¬ 
nique  selected. 

This  example  also  shows  one  approach  to  the  prediction  cf 
the  reliability  of  a  structure.  It  Is  important  to  recognize 
that  the  structural  portion  of  many  systems  are  important  con¬ 
tributors  to  the  system’s  effectiveness,  and  must,  therefore, 
be  evaluated  in  terms  of  their  influence  on  mission  success. 

Because  this  example  is  limited  to  the  Dependability 
analysis,  the  treatment  of  some  of  the  steps  in  the  general 
Effectiveness  evaluation  procedure  will  be  less  complete  than 
in  the  previous  examples.  The  assumption  is-  made  that  the 

l 

Dependability  matrix  developed  herein  will  be  compatible  with 
other  portions  of  the  Effectiveness  analysis. 


II .  DEPENDABILITY  EVALUATION 


1.0  Mission  Definition 

The  spacecraft  system  shall  be  capable  of  placing  a  variety 
of  payloads.  Including  multiple  satellites,  into  precise  orbits 
about  the  earth.  It  shall  have  the  capability  of  restarting  in 
space  after  a  sufficient  coast  period,  dependent  on  the  specific 
payload  and  attitude  orientation  in  space.  The  system  shall  be 
designed  as  an  upper  stage  rocket  propulsion  vehicle. 

2.0  System  Description 

The  system  described  herein  is  a  spacecraft  for  placing 
satellites  in  earth  orbits. 

2.1  general  Configuration 

The  spacecraft  is  a  liquid -propellant  upper-stage  rocket 
propulsion  vehicle  providing  all  the  control  elements  necessary 
for  placing  a  variety  of  payloads  in  precise  orbits  above  the 
earth.  The  spacecraft  has  the  capability  of  injecting  multiple 
satellites  into  orbit  about  the  earth  after  completion  of  one 
or  more  restart  cycles  in  space.  Thrust  vector  and  roll  control 
during  powered  flight  supplemented  by  coast  attitude  control 
provide  capability  for  obtaining  precise  circular  orbits. 

The  payloads  are. 'pro tec ted  with  an  aerodynamic  shroud 
during  the  appropriate  periods  of  flight,  and  upon  injection 


286 


Into  orbit  are  separated  from  the  stage  by  an  automatic  pre¬ 
programmed  sequence.  Retro-thrust  applied  at  separation 
decelerates  the  vehicle,  preventing  possible  collision  with 
the  payloads . 

Throughout  the  mission  the  satellite  launching  spacecraft 
telemeters  extensive  flight  data,  A  tracking  beacon  and  range 
safety  destruct  capability  are  also  provided. 

2. 2  System  Block  Diagram 

Figure  1  shows  a  breakdown  of  the  spacecraft  into  four 
systems,  viz,  propulsion,  forward  section,  ordnance  ''except 
range  safety)  and  structure.  The  safety  and  arming  mechanism 
c-f  the  range  safety  destruct  subsystem,  .which  is  located 
physically  in  and  must  perform  correctly  integrally  with  the 
propulsion  system,  is  considered  essential  to  mission  per¬ 
formance.  It  may  be  argued  that  the  destruct  arming  mechanism, 
which  is  not  required  to  function  except  in  the  case  of  failure 
should  not  be  included  in  the  flight  reliability  model,  luver- 
theless,  this  has  been  done  in  the  interest  of  a  through! v 
conservative  treatment  of  range  safety  ordnance.  The  risk  that 
range  safety  electronics  will  fail  to  actuate  the  destruct 
mechanism,  if  required  to  do  so,  is  dist..  ibuted  into  a  separate 
calculation.  This  failure  mode  is  always  contingent  upon  an 


287 


f 


288 


already  unacceptable . flight,  and  therefore  does  not  affect  the 
transition  probabilities  in  the  given  formulation  of  the  dependa 
bility  matrix. 

2 . 3  Mission  Profile 

In  Figure  2  is  shown  a  graphical  representation  of  the 
sequence  of  events  of  Interest  in  the  dependability  evaluation 

to  be  made.  A  tabulation  of  main  events  in  a  typical  mission 

* 

is  shown  in  Table  I*  These  events  determine  the  time  during 
which  various  stresses  will  be  experienced  by  various  cqmpo- 
nents.  Individual  computations  for  these  components  will  be 
made  for  each  time  period. 

2.4  Delineation  of  Mission  Outcomes 

It  is  assumed  here  that  in  the  complete  Effectiveness 
analysis,  mission  outcomes  have  been  defined  such  that  three 
system  states  must  be  considered.  These  states  represent 
system  conditions  in  which  one  of  three  outcomes  results: 

(a)  Perfect  operation; 

(b)  Acceptable  operation;  or, 

(c)  Unacceptable  operation. 


29 


Stop  command  guidance  24.  a.  Apply  payload  ordnance  power  (separate  payload) 

b.  Start  retrojets 


3-0  Specification  of  Figure  of  Merit 

Again,  It  Is  assumed  that  the  overall  Effectiveness  analysis 
has  dictated  that  the  Dependability  analysis  provide  the  proba¬ 
bilities  that  the  system  will  complete  the  mission  in  each  of 
the  three  states,  given  the  state  of  the  system  at  the  beginning 
of  the  mission. 

4.0  Identification  of  Accountable  Factors 

Determination  of  the  elements  of  the  Dependability  matrix 
will  depend  upon  several  factors.  These  are  discussed  below. 

4. 1  Time -Be tween -Failures  Distributions 

With  the  exception  of  the  safety  and  arming  assembly,  all 
components  in  the  propulsion  system  and  in  the  forward  section 
exhibit  constant  failure  rates. 

The  reliabilities  of  the  ordnance  and  structure  portions  of 
the  system  are  assumed  to  be  independent  of  time  and  will  be 
estimated  by  appropriate  methods. 

4.2  Stresses 

Since  the  stresses  experienced  by  system  components  differ 
at  various  points  in  the  mission,  their  individual  effects  must 
be  considered. 


292 


4. 3  Maintenance  Policy 


Insofar  as  Dependability  is  concerned,  the  significant 
observation  concerning  maintenance  is  that  no  repairs  .can  be 
accomplished  during  the  mission. 

5 • 0  Model  Construction 

3 . 1  Delineation  of  System  States 

The  three  mission  outcomes  delineated  in  Section  2.4  imply 
that  three  physical  system  states  must  be  considered.  These 
states  may  be  defined  in  terms  of  the  conditions  of  specific 
components  of  the  system. 

State  1,  which  results  in  "perfect"  operation,  requires  that 
all  system  components  function  properly. 

State  2,  results  from  failure  of  certain  non-essential 
components  which  cause  degraded,  but  acceptable  system  operation. 

State  3  represents  unacceptable  operation  resulting:  from 
failure  of  one  or  more  essential  components. 

In  this  example,  all  Ordnance,  Structural,  Range  Safety,  and 
Safety  and  Arming  components  are  essential  to  an  acceptable 
flight.  That  is,  any  failure  in  these  portions  of  the  system 
will  result  in  unacceptable  operation. 


293 


In  the  Propulsion  System  and  Forward  Section,  however,  the 
failure  of  certain  components  will  result  only  in  the  loss  of 
specific  desirable  but  non-essential  functions.  For  this  reason, 
these  items  --  and  their  probabilities  of  failure  --  must  be 
treated  separately  from  the  essential  items. 

In  Table  IX  are  tabulated  those  Propulsion  System  components 
which  provide  functions  that  are  not  essential  for  an  acceptable 
flight.  Table  III  shows  a  similar  list  for  non-essential  items 
in  the  Forward  Section. 

The  three  states  may  be  defined,  then,  as: 

State  1  --  All  components  operating  properly; 

State  2  --  All  essential  components  operating  properly;  and. 

State  3  --  One  or  more  essential  components  not  operating 
properly. 

5.2  Operational  Considerations 
and  Equipment  Usage 

During  the  mission  of  the  spacecraft,  several  different 
environmental  conditions  are  experienced.  In  Table  IV  these 
conditions  are  qualitatively  described  and  the  duration  of  each 
3tress  condition  noted. 

Because  the  probability  of  failure  is  related  to  the  stresses 
experienced  and  to  the  time  duration  of  these  stresses,  the  model 
must  reflect  this  effect.  This  will  be  accomplished  by  con¬ 
sidering  individually  the  probabilities  of  success  for  each  sub¬ 
system  during  each  stress  period,  and  then  combining  the  results. 


294 


TABLE  II 

PROPULSION  COMPONENTS 
NOT  ESSENTIAL  TO  ACCEPTABLE  FLIGHT 

Pressure  Transducers  (10) 
Flowmeter 

Sensing  Unit  ( Transonic s) 

Oxidizer  Probe 

Thermibtor  Probe 

Valve b 

Pitch  &  Yaw 
Tank  Settling 
Low  Thrust  Roll 

Oxidizer  Vent  Valve 

Fuel  Vent  Valve 

Quick  Disconnects 

Liquid 

Gas 

Wiggins  Valves 


295 


TABLE  III 


ELECTRONIC  ASSEMBLIES  (FORWARD  SECTION) 
NOT  ESSENTIAL  TO  ACCEPTABLE  FLIGHT 

Telemetry  Conditioners 
Telemetry  Transmitters 
Telemetry  Antenna 
Telemetry  Battery 
Vibration  Transducers  (3) 
Temperature  Sensors  (4) 

Low  Pass  Filter 


TABLE  IV 

SPACECRAFT  ENVIRONMENTS  AND  DURATIONS 

Environment 

Time  (Seconds) 

Booster  Duration  (Smooth) 

145 

Booster  Duration  (High  Vibration) 

20 

First  Firing  Duration 

285 

Coasting  Duration 

1620 

Second  Firing  Duration 

10 

Total  Mission  Length 

2080 

Certain  components  of  the  system  are  not  required  to  operate 
during  all  portions  of  the  mission.  This  fact  must  be  reflected 
in  the  predictions  made.  Specifically,  the  Range  Safety  System 
is  of  importance  only  until  the  first  vehicle  firing  is  complete. 
Therefore,  this  system  will  be  evaluated  over  a  period  of  only 
450  seconds. 

5.3  System  Model 

The  fact  that  three  states  of  the  system  are  possible  requires 
a  three  by  three  dependability  matrix.  The  matrix  will  be  of  the 
standard  form, 


dll 

d12 

d13 

d2l 

d22 

d23 

d 

d 

d 

31 

32 

33 

Because  no  maintenance  is  possible  during  the  mission,  no 
transition  from  a  lower  to  a  higher  state  is  possible.  Further, 
since  a  system  initially  in  State  3  cannot  move  to  a  lower  state, 
the  d^g  element  is  equal  to  1.0.  The  actual  matrix  to  be  evalua¬ 
ted,  then,  is: 


d12  dl3 


where 

d^1  =  probability  that  spacecraft  will  have  no  failure 

during  mission;  given  that  it  is  initially  nonfailed. 


298 


d,0  =  probability  that  the  spacecraft  will  have  one  or  more 
^  non-critical  failures  in  the  mission,  given  that  it 
was  initially  non-failed. 

d  =  probability  that  the  spacecraft  will  have  one  or  more 
l-'  critical  failures  in  the  mission;  given  that  it  was 
initially  non-failed. 

d^p  =  probability  that  the  spacecraft  will  not  have  a  critical 
failure  in  the  mission;  given  that  it  initially  has  one 
or  more  non-critical  failures. 

dp^  -  probability  that  the  spacecraft  will  have  one  or  more 
^  critical  failures  in  the  mission;  given  that  it 
initially  has  one  or  more  non-critical  failures. 


It  is  assumed  in  this  example  that  the  several  subsystems 
are  independent  of  each  other.  Therefore,  the  Product  Rule  is 
applicable.  The  element  d^  can  be  evaluated  from: 


dll  RPRFR0RS 

where 


Rp  - 

Ro  - 


Rp  and  Rp 


probability  of  no  propulsion  failure 
probability  of  no  forward  section  failure 
probability  of  no  ordnance  failure 
probability  of  no  structural  failure 
will  be  computed  from  the  exponential  equation 


R  =0 


N 

-c 

i=l 


x.t. 
1 1 


where 


Rq  and  Rs 


N 

time  period  of  interest  (total  time  period  =  5~7  t. 

i=l  1 

failure  rate  anticipated  during  this  time  period, 
will  be  determined  from  a  peak  stress  analysis. 


299 


The  element  d12  represents  transition  from  State  1  to  State  2 
and  is  represented  as : 

di2  =  RpRp( 1-RpRp)  RqRs 

where 

Hi  =  probability  of  no  essential  component  failure  in 
propulsion  system 

Rp  =  probability  of  no  non -essential  component  failure  in 
propulsion  system 

R^,  =  probability  of  no  essential  component  failure  in  forward 
section 

R "  =  probability  of  no  non-essential  component  failure  in 
F  forward  section. 

This  may  also  be  expressed  as 

dl2  =  R^fP0rs  "  dll 

Values  for  R£,  Rp,  Rp  and  Rp  may  also  be  computed  from  the  expo¬ 
nential  expression. 


The  d^^  element  is  computed  from: 

d13  =  1  ”  KPRPR0RS 


or 


d13  1  ”  ^dH  +  d12) 


The  expression  for  d22  is  simply: 

d22  -  RXR0RS 

and  for  d23  : 


300 


6 . 0  Data  Acquisition 


In  this  section,  the  sources  of  failure  rate  data  employed 
in  this  analysis  will  be  discussed.  Additionally,  because  the 
stresses  encountered  by  the  system  components  will  differ  during 
various  phases  of  the  mission,  adjustment  factors  must  be 
employed  to  modify  the  basic  failure  rates.  Therefore,  a  brief 
discussion  of  the  environmental  stresses  will  also  be  presented, 
and  the  factors  selected  for  application  to  specific  components 
during  various  mission  phases  will  be  shown. 

6 . 1  Propulsion  System  Data 

Failure  rates  for  components  in  the  propulsion  system  were 
determined  from  actual  usage  in  the  various  hangar  checkout 
tests  of  the  spacecraft  and  its  propulsion  system,  both  at  the 
manufacturing  site  and  at  AMR  prior  to  launch.  Failure  data  on 
identical  components  from  both  the  Able  and  Ablestar  programs 
was  employed.  These  data  include  information  from  the  ’’Able" 
program  which  preceded  the  current  program,  and  from  test  data 
on  six  ,  AJ10-104  propulsion  systems. 

6.1.1  Data  from  Previous  Program 
The  failure  rates  in  prior  analyses  were  based  on  thirteen 
successful  flights  of  Able -type  units  prior  to  the  first  Ablestar 
firing  with  an  AJ10-104  propulsion  system.  In  addition,  there 
were  four  other  Able  units  which,  unfortunately,  ne/er  had 


301 


opportunity  to  perform  due  to  malfunctions  occurring  in  the 
first  stage  vehicles.  The  tot-ax  flight  time  for  these  units  of 
1332  Seconds  represented  an  average  of  a  little  over  100  seconds 
operation  per  propulsion  system.  It  was  evident  that  a  valid 
estimate  could  not  be  made  with  this  data  alone,  since  the  time 
on  each  unit  was  only  a  little  more  than  one-third  the  expected 
AJ  10-104  firing  time  and  the  total  firing  time  was  only  four  and 
one-half  times  that  of  a  single  AJ10-104  propulsion  system's 
operating  time. 

To  obtain  more  operating  time,  data  were  obtained  from  the 
pre-flight  rating,  acceptance,  and  checkout  tests  of  these  prior  Able-type 
vehicles  flown.  The  "hot"  firings  for  all  vehicles  added  up  to 
399S  seconds.  Based  on  ten  checkout  tests  of  AJ 10-40  and 
AJ  10-42  propulsion  systems,  the  average  checkout  time  of  a 
single  vehicle  is  64.4  hours.  Therefore,  it  was  concluded  that 
even  the  hot  firing  test  time  was  not  sufficiently  significant 
for  the  analysis.  For  seventeen  vehicles  the  total  checkout  time 
is  17  x  64.4  =  1093  hours,  which  was  used  as  the  time  base  for 
all  failures  that  occurred  in  any  test  phase. 

6.1.2  Data  from  Current  Program 

Since  that  time,  eleven  AJ  10-104  propulsion  systems  have 
been  fabricated  and  ground  tested.  Of  these,  six  have  a  history 
of  time-related  test  data.  This  time  can  be  broken  into  240 


302 


secor 


of  check¬ 


out 

time 

chef 


fne 

propulsion 
Table  V. 
were  not  a 
in  Ref.  2  v 

t 

Because 
components  ; 
provide  a  b 
reliability 
tests.  Of  t. 
of  failure  r 
heading  "Pre: 
ble  to  space 
Table  VI. 

The  Aero, 
sources  inclu. 
in  the  Aerosp; 
ur:-d.  These  1 


checkout 


rs  of 


rates  of 
sted  in 
Rings 
Tis  listed 


t  would 
■onic 
gar 
able 

1  ica- 
n 


d 

ere 


TABLE  V.  FAILURE  RATE  OF  FROPULSIOII  SYSTEM 


(Based  on  Failures  In  Ground  Tcoto) 


Part  Type 

* Accumulator,  Bandlx 

Aooumulator  Aeey . , 

Pressure 

Aotuator  Aaay. ,  Servo 
Block  Aeey.,  Servo 
Hemeee  Aeey. ,  Propulsion 
Hoee  Aeey.,  Reeletoflex 


Able  Unlt-Manlfold 
Conax  Valve  Manifold 
hydraulic  Manifold 
Attitude  Control  Syatea 
Propulsion  Syetea 

Manifold  Total 
Probe  Aeey.,  Oxldlrer 

Quick  Dleoonneot 
(Liquid) 

Quick  Dleoonneot  (flee) 

1  Reservoir  Aeey. 

2Swltoh  Aeey. 

Transducer,  Pressure 

Pressure  Lines  ft  Tubes 


Check  Velve  PCV  H 

Check  Valve  OCV 

Check  Velve  Q 

(Pneuaatlo  k  Hydraulic)  I 

Velve  Aeey., 

Fuel  Control  (FTCV) 

Velve,  Solenoid  I 

(Subject  to  Propellant  Fusee )H 
Velve  Aaay. 

Oxldlrer  Control  (OTCV)  H 

Velve  Aeey.  | 

Pressure  Rag,  He  Hue 

Velve  Solenoid,  Oaa 


Velve  AsSy 

Pressure  Meg,  Nitrogen 

^Valve  Aeey 
Tavco  Mellef 
Valve  Relief 
Hydraullo  Pressure 


8  Able  Type  Test  Tin* 
(No.  of  Items) (Hours) 


1  ^1095 

Not  Avellable 


Failures  In 
Able  Type 


Able star  Tout  Time 
(No.  of  1  teniu)(llouru) 


1  Band  lx  Accumulator  le  assumed  to  have  the  seme  failure  rate  ee 
2 for  Confldenoe  of  7  *  .50#  0  failures  In  1550  hours  indicate  1 
3Por  Confldenoe  of  ^  -  .50,  O  failures  In  1540  hours  Indicates 


Reservoir  Assembly, 
failure  In  2240  hours. 

1  failure  In  2240  hours. 


Failures  in 
Abies  la  i* 


Total  Full urea 
per  103  Hours 


a  denotes  contact  aet 


6 . 3  Ordnance  Section 


For  ordnance  components,  such  as  for  stage  separation,  nose 
fairing  separation  and  payload  separation,  each  lot  of  explosive 
devices  is  tested  to  assure  a  reliability  of  .995  with  95  percent 
confidence . 

6 . 4  Structure 

Data  employed  in  predicting  structural  reliability  will  be 
presented  in  a  later  section  in  order  to  facilitate  the  discus¬ 
sion  of  the  predictive  approach. 

6. 5  Environmental  Stresses 

In  order  to  use  properly  the  failure  rates  presented,  two 
conditions  must  be  accounted  for.  First,  the  variations  in 
stresses  anticipated  during  actual  flight  must  be  considered; 
and,  second,  the  differences  in  stress  conditions  existing  during 
actual  flight  and  those  existing  at  the  time  of  data  collection 
must  be  evaluated. 

Several  environmental  conditions  of  flight  (vibration,  vacuum, 
thermal  conditions)  are  common  to  both  propulsion  components  and 
electronic  units. 

For  each  flight,  the  Ablestar  stage  may  be  described  .as 
experiencing  five  distinct  environments  from  first  stage  "ride" 
to  final  burnout.  These  five  environments  are  (1)  the  "ride"  on 


306 


the  booster  stage  below  and  above  maximum  dynamic  pressure  (max  q.), 

(2)  the  "ride"  on  the  booster  during  max  n,  (3)  the  time 
of  first  firing  of  the  A J  10-104  propulsion  system,  < 4 )  the  coast 
time,  and  (5)  the  period  of  re-start  (second  firing).  These  times 
were  shown  in  Figure  2.  The  time  between  first  stage  burnout  and 
second  stage  firing  is  not  considered  because  it  is  too  short  to 
affect  the  overall  calculations. 

6.5.I  Stress  Factors 

The  failure  rates  listed  in  the  tables  were  not  obtained 
from  in-flight  vehicles.  Consequently,  a  stress  factor  designated 
as  K,  must  be  used  as  a  multiplier  for  these  listed  failure  rates 
so  that  the  in-flight  failure  rate  may  be  approximated.  Table  V  E 
(pg.  93)  in  Data  Source  #7  (WSEIAC)  shows  the  various  adjustment 
factors  for  different  environmental  stresses,  as  reflected  in 
vehicle  mission. 

As  discussed  below,  a  somewhat  different  approach  is  used  in 
determining  the  K  factor  for  propulsion  components  and  electronic 
or  forward  section  components. 

The  electronic  subsystems  acceptance  checkouts  are  considered 
as  being  at  somewhat  higher  environmental  stress  than  the  ground 
conditions  of  Data  Source  #7  (WSEIAC).  The  environment  for 
electronic  subsystems  at  maximum  aerodynamic  pressure  of  the 
boost  phase  is  considered  to  be  much  more  severe  than  the  environ¬ 
ment  for  the  remainder  of  the  boost  and  vehicle  operation. 


307 


Similarly,  for  each  change  of  environment  of  the  stage,  the 
value  of  K  changes  for  the  propulsion  system  although  somewhat 
differently  from  the  assumed  change  of  K  in  the  electronics  sub¬ 
systems.  Ground  tests  of  the  propulsion  system  components  do  not 
compare  in  many  instances  with  the  stress  experienced  in  flight; 
i.e.,  nitrogen  is  used  throughout  during  propulsion  acceptance 
leak  checks  instead  of  actual  propellants.  However,  there  is  no 
difference  in  the  electrical  power  applied  to  the  electronic  units 
between  systems  tests  and  flight  operation. 

Propulsion  System  Factors 

The  propulsion  checkout  tests  are  fairly  severe.  The 
boosted  flight,  however,  except  at  lift-off,  during  the  transonic 
period  and  at  stage  separation,  is  quite  smooth.  During  these 
periods  --  which  in  total  probably  do  not  exceed  20  seconds  --  a 
K  factor  of  6.7  is  used. 

During  the  period  of  vehicle  operation,  a  factor  of  unity  is 
applied.  Since  during  the  major  portion  of  the  Boost  phase  the 
stress  is  less  than  during  vehicle  operation,  a  factor  of  0.8  is 
employed.  The  Coast  period  represents  even  lower  stresses, 
leading  to  the  assignment  of  values  of  0.1  and  0.2  to  K. 

The  attitude  control,  however,  continues  to  operate  at  an 
operational  stress  close  to  the  design  nominal.  Consequently,  a 
value  of  1.0  is  employed  for  this  device.  These  factors  are 

*  if- 

summarized  in  Table  VII. 


308 


f 


309 


Electronic  System  Factors 

In  calculating  the  failure  rates  for  electronic  components,  a 
K  factor  of  200  (250  for  the  gyro  reference  assembly)  was  selected 
for  the  20  seconds  of  maximum  stress  (which  occurs  at  lift-off, 
maximum  aerodynamic  pressure  and  again  at  stage  separation),  a  K 
factor  of  25  for  Booster  phase,  40  for  vehicle  operation  and  10 
for  the  coast  period  for  the  following  reasons:  The  stress  en¬ 
countered  by  the  electronics  during  Ablestar  operation  v.hen  the 
electronics  are  required  is  assumed  to  be  somewhat  high  than 
the  stress  encountered  during  the  ground  systems  test.  There  is 
some  empirical  evidence  that  the  failure  rates  determined  from 
ground  systems  testing  on  the  Ablestar  electronics  are  about  25 
times  the  failure  rates  encountered  under  laboratory  conditions.—^ 
On  this  basis,  it  is  assumed  for  the  boost  operation  with  power 
on  and  electronics  not  required,  that  the  stress  factor  K  is  25, 
and  for  the  Ablestar  operation  with  power  on  and  electronics  re¬ 
quired,  that  the  stress  factor  is  40.  During  coast  period,  a 
stress  factor  of  10  is  used.  Vibrational  effects  are  virtually 
non-existent,  but  vacuum,  temperature,  and  other  space  influences 
may  tend  to  cause  deleterious  stresses  during  coast.  These 
factors  are  also  shown  in  Table  VII. 


■“From  Table  I  in  Ablestar  Stage  Reliability  Progress  Reports, 
SGC  No.  105R  Series. 


310 


7.0  Parameter  Estimation 


In  this  section,  the  several  reliability  characteristics 
f  ■  T*  the  system  components  will  be  determined. 

7 . 1  Propulsion  System 

7.1.1  Probability  of  Perfect  Flight 
The  reliability  of  the  AJ  10-104  propulsion  system, 
including  the  mechanical  components  of  the  attitude  control 
subsystem,  is  computed  from: 

-(  t 

R  =  t. 


i  Af  +  A2  +  4^  A 3  +  A^  +  tp.  /v_) 


whe  re 

t.  is  the  time  during  which  a  particular  stress  is 
1  encountered,  and 

A.  is  the  failure  rate  during  that  period. 

The  subscripts  indicate  the  following  time  periods: 

1  -  Booster  ride 

2  -  Maximum  aerodynamic  pressure  during  booster  vdde 

3  -  First  spacecraft  operation 
A  -  Coast  operation 

5  -  P.e-start  operation. 

Employing  the  failure  rates  and  the  stress  factors  dis¬ 
cussed  in  Section  ‘6  the  failure  rates  shown  in  Tt.jlu  Mil  -'or  ;  c 
several  sub-assemblies  of  the  propulsion  system  may  be  obtained. 


311 


•3-  CO 

o  p 
P  d 

I  O 

O  X 

P 

►-3  Xf 

<  C 


P 

CO  Q) 

H  a 
X 


8  S 

S£  rH 
O  "H 

O  Cd 


CM 

OJ 

V 

CO 

0 

V 

CO 

V 

co 

1 — 1 

IV 

LT\ 

0 

CTv 

CM 

rH 

-3- 

in 

^1-- 

d 

vo 

V 

VO 

0 

0 

vd 

rH 

OJ 

rH 

CM 

CO 

0 

-=}- 

vo 

co 

VO 

rH 

V 

CO 

co 

rH 

rH 

rH 

OJ 

in 

rH 

0 

CM 

0 

OJ 

0 

rH 

rH 

0 

IV 

CO 

rH 

-=d“ 

OJ 

V 

CO 

0 

V 

OO 

tv 

co 

rH 

V 

in 

0 

o\ 

CM 

rH 

-=t 

in 

-=t 

C\l 

d 

vo 

V 

VO 

d 

d 

vo 

rH 

OJ 

rH 

CM 

0 

V 

vo 

-=t 

CM 

00 

tv 

-=t 

CP 

tv 

rH 

co 

-=t 

CO 

V 

V 

CO 

tv 

rH 

in 

OJ 

00 

cA 

CM 

o\ 

d 

IV 

vo’ 

cd 

tv 

00 

in 

00 

tv 

rH 

co 

rH 

rH 

rH 

0J 

0 

V 

Ov 

• 

d 

O 

■H 

d 

d 

p 

>1 

O 

0 

cd 

rH 

•H 

•H 

rH 

p 

•p 

P 

rH 

bO 

p 

p 

E 

m 

<0 

Cd 

d 

p 

p 

<u 

rH 

rH 

P 

■H 

cd 

0 

m 

rH 

rH 

d 

CO 

N 

p 

O. 

P 

CO 

cd 

cd 

0 

d 

•H 

CO 

a 

O 

< 

-p 

p 

■H 

M 

p 

<D 

0 

*•“3 

co 

CO 

p 

p 

K 

CO 

cd 

c 

d 

c 

Cd 

E 

CO 

s 

0 

H 

M 

rH 

0) 

CO 

e8 

XI 

•H 

rH 

p 

<u 

d 

d 

E 

•p 

m 

E 

Cd 

CO 

p 

1 — i 

cd 

nH 

0) 

■H 

to 

OJ 

P 

CP 

O 

CO 

-p 

ra 

<u 

p 

W 

co 

d 

P 

p 

P  <u 

CQ 

d 

d 

CO 

d 

^  0 

P 

0) 

O  *H 

t>> 

cd 

p 

>3 

H 

c 

d  p 

C 

p 

d  p 

CO 

p 

m 

CO 

•H 

cd  p 

O 

E 

p 

Eh 

W 

P 

cd 

Eh  cd 

O 

cd  >3 

w  E 

0 

0 

0) 

P 

rH 

p  p 

P  <D 

•H 

XJ 

■H 

O 

Q 

f-4  rH 

0)  E 

0  p 

d  W 

P 

d 

0 

rH 

d 

<u  <d 

XJ  0) 

E 

0)  CO 

cd 

cd 

rH 

p 

XJ 

08 

N  P 

3  P 

P  0) 

d  cd 

E 

1 

Cd 

M 

p  co 

P  co 

co  w 

0  p 

3 

* 

0 

P 

d 

rH 

x)  d 

«H  t>> 

d  00 

a  d 

<u 

d 

1 — 1 

Xl 

cd 

rH 

P  M 

P  CO 

p  <c 

E  co 

c 

cd 

>3 

p 

■H 

X 

p 

p 

0 

a 

H 

< 

X 

Eh 

0 

< 

Eh 

0 

TOTAL  56.09  5^5.78 


While  not  shown  in  this  report.,  the  failure  rates  of  individual 
elements  as  sub -assembly  components  are  presented  in  Reference  1 
(Table  'VlJ,  The  reference  also  shows  the  K  factors  employed.' 
Generic  failure  rates  for  working  and  pressurized  components; 
e.g.,  valves  and  pressure  lines,  listed  in  the  reference  are 
estimated  failure  rates  during  system  tests  on  these  items. 
Failure  rates  for  structural  and  miscellaneous  items;  e.g., 
brackets,  gaskets,  are  from  Reference  2, 


Emp] oying 

the  summations  of  failure 

rates  from 

'Table  vm 

the 

times  froii 

figure  2.  ..ho  p-’oboti]  i  ty 

or  . 

s ’  '  1 

the 

pro pul sion 

and  related  systems  is  esi 

:i  mated  iron 

-{ MJ>5)/^60C'}n000)  -t  5*15.8  ,<20,/f?.b00 ,  (  iGOO  . 

-  e  e 

-(92. 1*4;  (235  ;/(3600;  ( 1000;  -(2U.L2  .  (  1620  //fjoou,  i  .1  joO 

e  e 

- ( 9*4 . 12 ;  f  10  )/( 3600 )  ( 1000 i 

e 

-85,811/3,600,000 

=  e 

-.02384 


Rp  =  .9764 

7.1.2  Probability  of  Acceptable  Flight 
The  following  reliability  estimate  is  based  on  the  assumption 
that  items  such  as  propellant  and  gas  fill  and  drain  quick  dis¬ 
connects  and  the  oxidizer  and  fuel  vent  valves  are  items  which  do 


313 


not  function  or  operate  after  initial  loading.  Any  leak  in  these 
items  will  be  detected  while  the  vehicle  is  still  on  the  ground. 
Also,  certain  disconnects  and  valves  have  redundant  features  which 
preclude  leakage;  therefore,  their  reliabilities  will  be  approxi¬ 
mated  by  unity  in  the  acceptable  flight  calculations.  These  are: 
(l)  fill  and  drain  disconnects  and  shut-off  valves,  both  fuel  and 
oxidizer;  (2)  umbilical  power  disconnects,  squib  actuated  and  pull 
separation;  (3)  helium  and  nitrogen  fill  disconnects,  and  helium 
and  nitrogen  check  valves. 

During  the  restart  and  second  Ablestar  firing,  the  pitch  and 
yaw  control  valves  need  not  operate;  one  valve  of  this  type,  which 
is  used  as  a  settling  jet,  does  not  operate  beyond  this  point. 

The  pressure  transducers  are  not  essential  for  acceptable 
operation,  and  the  destruct  assembly  is  also  not  necessary  for 
either  "perfect"  or  "acceptable"  flight;  for  it  will  be  used  only 
if  the  flight  is,  in  fact,  determined  to  be  unsuccessful. 

Table  IX  lists  the  failure  rates  of  these  non-essential  items. 
Subtracting  these  failure  rates  from  the  total  failure  rates  of 
Table  VI,  the  following  estimates  of  the  failure  rates  results: 
booster  ride  56. 09  -  18.12  -  37-97;  high  vibration  545.8  -  153.1  = 
392.7;  first  operation  of  Ablestar  92.14  -  27.16  =  64.98;  coast 
period  24.42  -  4.51  =  19-91;  and  second  operation  of  Ablestar 
94.12  -  29.74  =  64.38  failures  per  100C  hours.  The  estimated 


314 


Ol 

VO 

O 


rH  VO 

co  in 

ts  CO 


o 

cf 

c- 


<C  ay 
H  P, 
Eh  =1 
z  o 
w  w 
w 

W  T3 

w  c 

r 

Eh  B) 
O  3 
Z  o 

CO  £ 
Eh 

55  Pi 
W  a) 

z  a 

£  ■* 
2  d) 

8  U 

rH 

Z  -H 
O  cd 
H  pc, 
CO  v_^ 
t-3 

£ 


o 

CVJ 

» 

rH 

co 

o 

o 

<J\ 

■=t 

CO 

o 

VO 

OJ 

o 

-=j- 

OJ 

• 

in 

m 

CO 

• 

m 

m 

co 

-=t 

rH 

CO 

VO 

-=t 

rH 

rH 

ts 

OJ 

o 

o 

-=}• 

ts 

o 

-=t 

CT\ 

rH 

VO 

o 

VO 

Ov 

Ov 

o 

is- 

ts 

VO 

CO 

in 

VO 

o 

CO 

in 

00 

c- 

ts 

o 

ts 

co 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

00 

rH 

OJ 

-=t 

rH 

rH 

-=t 

rH 

o 

in 

OJ 

CO 

o 

c- 

s- 

co 

co 

OJ 

c- 

s- 

o 

o 

oo 

oo 

VO 

o\ 

oo 

VO 

o 

O', 

-=fr 

o 

00 

oo 

OJ 

oo 

o 

• 

• 

• 

• 

. 

• 

• 

• 

• 

• 

t" 

VO 

c- 

VO 

rH 

rH 

ts 

-=t 

C\ 

in 

rH 

rH 

rH 

OJ 

o 

OJ 

OJ 

O'. 

o 

o\ 

ON 

in. 

in 

in 

co 

OJ 

t- 

t- 

o 

rH 

rH 

m 

oo 

00 

00 

o 

00 

00 

-=r 

■=t 

OJ 

in 

o 

• 

• 

• 

• 

• 

• 

• 

• 

• 

• 

VO 

o 

rH 

rH 

rH 

co 

rH 

o 

' 0 

r-v 

rH 

o 

rH 

'W-' 

rH 

c 

bp  o 

(0 

o 

C  K 

ph 

«0 

*2  «rH 

<u 

<u 

c 

id  rH  -P 

> 

o 

Cd 

>H  -P  63 

rH 

ay 

GO 

c 

p. 

<u 

■p  y 

cd 

-P 

-p 

'O 

Eh 

n 

08  d>  Ph 

> 

d) 

o 

o 

CO 

' 

dJ 

o 

W  fi 

> 

d) 

<u 

ay 

wi 

cd 

-P 

o 

£ 

»*H  U  * 

O  ^ 

*  ^ 

c 

cd 

r* 

2 

2 

> 

Ph 

Ph 

-PC? 

<u 

> 

O'"' 

o 

rH 

Eh 

c 

a 

•H  Id  0 

> 

O  TJ 

o 

cd 

Ph 

!=> 

o 

CEC 

-p 

ay  .h 

CO 

> 

d> 

<D 

Ph 

■p 

v _ ✓>. — - - 

Ph 

c 

tH  C 

Ph 

■P 

M 

OJ 

CO 

<u 

(1) 

Q  o' 

Q  w 

ay 

c 

0) 

2 

N 

ay 

N 

> 

cfl 

C 

ay 

E 

«H 

E 

0) 

•H 

^  o 

«H 

CO 

3: 

GO 

TJ 

H 

> 

T3 

rH 

O  — ' 

o  — ' 

bO 

<v 

o 

c 

■H 

0) 

rH 

•H 

a; 

•H 

bO 

Ph 

rH 

<u 

X 

cd 

x 

P 

«H 

ch 

&, 

co 

o 

P 

> 

o 

£ 

<y 

<y 

315 


♦Armed  for  only  last  part  of  second  firing. 


reliability  of  the  Propulsion  System  for  acceptable  flight  is 
thus :  * 

-(37.97)(145)/(3600)(1000)  -(392 .7) (2o.)/(36oo) (1000) 


- ( 64 . 98 ) ( 285 )/( 3600 ) ( 1000 )  - ( 19 . 91 ) ( 1620 )/( 3600 ) ( 1000 ) 

e  e 

-(64. 38) ( 10 )/( 3600 ) ( 1000 ) 

e 

-64 , 777/3  > 600 , 000 

=  e 

-.017994 

=  e 

=  .9822. 

7.2  Forward  Section 

The  reliability  of  the  forward  section  of  the  Ablestar  stage 
is  calculated  through  the  use  of  the  failure  rate  data  summarized 
in  Table  vi. 

7.2.1  Probability  of  Perfect  Flight 
Table  X  tabulates  the  failure  rates  of  all  electronic  compo-  - 
nents  in  the  Forward  Section.  For  a  "perfect"  flight,  all 
assemblies  listed  in  Table  X  must  function  properly.  The 
following  calculations  show  the  reliability  estimate  for  a 
"perfect"  flight  of  the  electronics  section. 


316 


i 


TABLE 


ELECTRONIC  ASSEMBLIES  NECESSARY  FOR  PERFECT  FLIGHT 


Assembly  Name 

Generic  Fr/10^  Hrs. 

Essential  Assemblies 
( See  Table  x ) 

6l6„ 8l 

Telemetry  Conditioner 

388.82 

Telemetry  Transmitter 

31.86 

Telemetry  Antenna 

2.00 

Telemetry  Battery 

25.30 

Vibration  Transducers  (3) 

90.00 

Tempex-ature  Sensors  (4) 

13.20 

Low  Pass  Filter 

.82 

TOTAL  (perfect) 

1368.81 

317 


t 


-  - 1 - -  1  20 17200 )( 1287.98)  +  250(80.23)1  + 

=  e  3600x100  J  *- 

1368.81  ji45(?0)  +  (285)(4o)  +  1620(10)  + 

X 

10(4oj]  • 

-  0.0136  ^ 

Rp  =  e 
Rp  -  .9865. 

7.2.2  Probability  of  Acceptable  Flight 
Table  XI  lists  the  electronic  subsystems  which  must  work 
during  an  "acceptable"  flight.  Since  the  static  inverter  dummy 
load  can  fail  open  and  not  cause  serious  degradation  of  the  flight, 
only  half  of  its  failure  rate  is  used  for  the  "acceptable"  flight. 
The  BTL  guidance  package  is  not  included  in  these  calculations  be¬ 
cause  itis  Government-furnished  and  is  therefore,  treated  as  being  external 
to  the  Ablestar  stage.  The  following  calculations  show  the  relia¬ 
bility  estimate  for  an  "acceptable"  flight  of  the  electronic 
section : 

'  _  '  3600x108  f  20 jj 200) (737. 2?)  +  (250)(80.83)]  - 

8l6.24[jl45)(25)  +  (285)  (40)  +  (1620)  (10)  + 
(10(402)  ’ 

-  .0081  ' 

R£  =  e 

Rp  =  .9919. 


318 


■Ojpk- 


r 


t 


TABLE  XI 

ELECTRONIC  ASSEMBLIES  NECESSARY  FOR  ACCEPTABLE  FLIGHT 

Assembly  Name 

Generic  Fr/10^  Hrs. 

Gyro  Reference  Assembly 

80.83 

Electronics  Package 

212.91 

Programmer 

346 . 96 

Accelerometer 

75.44 

Distribution  Box 

14.84 

Battery  Box 

23.14 

Static  Inverter 

56.44 

Static  Inverter  Dummy  Load 

1.13* 

Fuel  Vent  Cable 

.12 

TOTAL  (acceptable) 

816.245 

♦Total  generic  failure  rate  of  these  assemblies 
is  8l8.6l  failures  per  million  houx’s  but  only 
half  the  failures  of  static  inverter  dummy  load 
(i.e.,  failed  open)  will  cause  an  unacceptable 
flight.  Therefore,  total  generic  failure  rate 

Is  8l6.8l  -  1.13/2  =  816.245  failures  per 
million  hours. 

i 


319 


In  determining  the  reliability  of  the  electronic  section, 
the  reliability  of  the  Range  Safety  System  has  not  been  included. 
This  has  been  done  because  the  functioning  of  the  Range  Safety 
System  is  wholly  dependent  on  a  failure  of  another  part  of  the 
stage.  The  probability  of  the  Range  Safety  System  working  when 
it  is  not  supposed  to  is  very  remote  and  is,  therefore,  not  in¬ 
cluded  in  the  calculations. 

The  electronics  assemblies  of  the  Range  Safety  System  are 
listed  in  Table  XII.  Since  the  Range  Safety  System  is  only 
required  to  function  through  SF,CO  I,  its  operating  time  is  450 
seconds.  The  reliability  estimate  of  the  electronics  of  the 
Range  Safety  System  is  shown  in  the  following  calculations. 

RS(electrcnics ) 

=  e 

-  .0035 

=  e 

=  .9965. 

The  safety  and  arming  mechanism  is  placed  in  the  propulsion 
section  and  its  reliability  is  estimated  as  .9982,  apportioned 
.9984  to  the  switch  and  explosive  charge  and  .9998  to  the  mechanism. 


:2QO)(665.5l)+(l45)(25)(665.5l)+(g85)(4o)(665.511 

3600x10^ 


TABLE  XII 


RANGE  SAFETY  SYSTEM  ASSEMBLIES 


Assembly  Name 

Generic  Fr/10^  HrB. 

Tracking  Beacon 

505.48 

Receiver 

81.60 

Control  Box 

10.36 

Battery 

25.30 

Antennas  (6) 

12.00 

378  Beacon 

18.67 

Beacon  Battery 

11.28 

Destruct  Filter 

.82 

TOTAL 

665.51 

32 


The  main  contributors  to  mechanism  unreliability  are  believed  t,o  be 
the  receptacle  and  spring  plunger  each  having  a  constant  failure 
rate.  The  reliability  of  each  of  these  two  items  is  at  least  .9999 
for  the  time  the  destruct  assembly  is  under  stress.  The  switch  and 
explosive  charge  have  an  estimated  reliability  of  .9984  based  on 
data  from  Ordnance  Associates,  Inc.  When  the  ordnance  is  con¬ 
sidered,  the  estimated  reliability  of  the  Range  Safety  System  be¬ 
comes  : 

rRS  =  (*9965)  ( -999)2  (.9984) 

=  .9947. 


The  probability  that  a  malfunction  in  Ablestar  is  of  sufficient 
importance  to  cause  a  Range  Safety  destruct  signal  and  that  the 
Ablestar  stage  will  be  successfully  destroyed  is  the  product  of 
two  probabilities;  i.e.,  (.9947)  (probability  Ablestar  is  off- 
course  or  lacking  in  velocity  until  SECO  1), 

or  (.9947)  (l  -  reliability  of  all  propulsion  subsystems 

necessary  for  acceptable  flight  and  all  forward 
section  subsystems  necessary  for  acceptable 
flight  except  the  integrating  accelerometer). 


(.9947)  fi-fexp  -  ( b  ^5 )  (37.97 )  +  ( 20)  ( 392.7) +285(64, 98^  } 
L-  3600  x  iob 

(exp  _  D20)(200)  +  (l45)(25)  +  f 285)  (40)7  Cl 661.6)1 
+  f(20)(250)+l45)(25)+(285)(40)7  £(80.83)7  H 

3600  x  106 

-  (’.9947)  Cl  -  (e--0089)(e-00,t0)J 

-  (.9947)£l  -  (.9911)  (-9960)] 


322 


=  (.9947) (1  -  -9871) 

=  (.9947) (.0129) 

=  .0128. 

Consequently,  the  probability  that  destruction  will  be  neces¬ 
sary  is  1.29$  and  the  probability  of  being  destroyed  is  1.28$.  The 
probability  of  an  Ablestar  going  off  course  and  not  being  success¬ 
fully  destroyed  is  .0129  -  .0128  -  .0001,  or  0.01$. 

7.3  Ordnance  Items 

Excluding  range  safety  ordnance,  the  ordnance  of  the  Ablestar 
Stage  includes  the  booster  and  Ablestar  separation,  and  the  nose 
fairing  jettison.  Both  must  function  properly  for  acceptable 
flight.  There  are  two  explosive  bolts  on  the  nose  fairing,  180° 
apart,  two  sets  of  actuators  (two  each)  on  the  nose  fairing 
assembly,  and  three  explosive  bolts  on  the  interface  between  the 

h 

first  and  second  stages.  Each  of  the  separation  assemblies  has  a 
demonstrated  reliability  of  at  least  -995  with  95$  confidence.—^ 

The  same  number  of  tests  without  failure  which  demonstrate  a  relia¬ 
bility  of  .995  with  95$  confidence  also  demonstrate  a  reliability 
of  .9988  with  50$  confidence.  The  inherent  reliability  is  certainly 
greater  than  the  demonstrated  reliability  and  is  estimated  at 
.9988. 


—^Aerojet  Specifications  AGC  54006  and  AGC  54009  (Per  STL  Memo 
#7740.14-21) . 


323 


t 


Consequently,  the  reliability  of  the  Ablestar  ordnance 
(excluding  range  safety)  is  estimated  to  be: 

rq  =  (.9988) (.9988) 

=  .9976. 

Two  redundant  SEV-22M  Conax  retro  system  control  valves  in 
the  propulsion  system  provide  a  counter  thrust  at  payload  separa¬ 
tion  so  that  the  Ablestar  will  not  hit  the  payload  and  damage  it 
or  interfere  with  its  proper  orbit.  There  are  also  two  Conax 
vent  valves  in  the  forward  tank  which  are  actuated  subsequent  to 
payload  separation  to  minimize  possible  explosion  due  to  residual 
propellants.  These  redundant  Conax  valve  systems  are  at  least  as 
reliable  as  the  other  ordnance  subsystems,  so  their  reliability 
also  is  estimated  nominally  at  .9988.  Thus  total  ordnance  relia¬ 
bility,  excluding  range  safety,  is  ( .9978) (. 9988)  =  .9964. 

7.4  Structure 

In  order  to  demonstrate  one  approach  to  the  assessment  of 
the  reliability  of  a  structure,  it  is  assumed  that  test  data  of 
the  types  noted  below  are  available. 

7.4.1  Test  Data 

Previous  experience  has  shown  that  critical  structural 
members  exist  in  the  tanks  and  in  the  transition  stage.  Other 
structures  are  engineered  with  sufficiently  proved  safety  factors 
to  warrant  assignment  of  a  reliability  unity.  Testing  is  con¬ 
centrated,  therefore,  on  the  critical  items. 

324 


[ 


Tank  Reliability 


In  view  of  a  reliability  reserve,  it  was  possible  to  adopt 
the  thoroughly  conservative  'methodology  of  proving  tank  yield 
points  against  proof  pressures  in  lieu  of  the  looser  (but  still 
valid)  procedure  of  proving  burst  points  against  maximum  expected 
operating  pressures  (MEOP).  For  the  helium  tank,  burst  testing 
has  shown  that  rupture  occurs  at  6077  psi.  The  working  pressure 
(MEOP)  is  taken  as  4400  psi  for  this  analysis,  and  a  safety 
factor  of  1.1  is  applied  to  obtain  a  proof  pressure  of  4850  psi. 

In  order  to  evaluate  this  safety  margin  on  a  probability  basis, 
strain  gages  placed  at  points  of  each  helium  tarrk  during  proof 
testing  provided  31  measurements  of  strain  and  stress  during  the 
burst  test.  Table  XIII  shows  typical  data  from  the  test. 

Yield  points  for  these  31  stress-strain  variables  were  deter¬ 
mined  by  graphing  strain  data  from  the  rupture  testing  against 
pressure.  Knick  points  in  the  graphs  determine  the  strain  for 
this  material  and  tank  configuration  at  which  Hooke's  law  of 
elasticity  ceases  to  hold,  namely,  the  yield  points.  These  plots 
and  the  knick  points  were  assembled  in  four  graphs,  an  example  of 
which  is  shown  in  Figure  3-  These  graphs  indicate  that  16  data 
curves  reach  yield  points  near  or  before  the  tank  burst  pressure. 
These  are  the  most  suitable  locations  for  reliability  tests. 


325 


By  making  16  comparable  series  of  pressure-strain  readings  during  proof 
tests  on  helium  tanks  for  successive  vehicles ,  a  series  of  maximum  strain  read¬ 
ings  coaid  be  obtained  for  each  point.  Suppositional  data  listedin  Table  XIV  to  per¬ 
mit  completion  of  the  calculation  example.  The  maximum  strain  for 
each  of  8  supposed  tests  Is  derived  from  the  Table  XIV  data  and 
listed  In  Table  VI  together  v/ith  the  nick  point  derived  from  the  Table  XIII  data, 
an  extreme-value  plot  of  these  maxima  is  presented  in  Figure  4. 

From  these  plots  the  structural  risk  determined  for  each  location 
is  assessed  and  listed  in  Table  XV.  The  maximum  risk,  .000015, 
is  at  the  location  which  is  weakest  for  the  mission  analyzed. 

This  risk  is  the  structural  unreliability  of  the  tank  against  the 
burst  mode  of  failure,  and 

1  -  .000015  =  .999985 
is  the  structural  reliability  of  the  tank. 

A  gage,  or  "point,"  represents  a  location  and  directional 
reference  of  strain,  caused  by  stress  properly  imposed  under 
simulated  environment. 

It  will  be  noted  from  Figure  3  that  the  traces  of  strain 
gages  #21,  #31  and  #33  did  not  show  knick  points  from  the  rupture 
testing.  This  means  that  the  strains  measured  by  these  gages  did 
not  extend  to  Include  yield  points  of  the  tank.  Hence,  the  gage 
locations  were  representative  of  relatively  strong  points  in  the 
tank  configuration  and  will  be  excluded  from  the  further  analysis. 


328 


5350 


I  I 


I  I 


# 


H 

f— 

O 

o 

o 

o 

o 

o 

o 

o 

o 

o 

o 

Q 

CVJ 

C\ 

To 

o 

o 

Lf\ 

CJ 

03 

-•!' 

o 

o 

CVJ 

G> 

m 

O 

o 

H 

H 

G\ 

r  ■) 

*N 

o 

v.o 

9 

Ca 

To 

•v 

L'\ 

o 

Lf\ 

r—\ 

C\ 

•  V 

•v 

•v 

o 

o 

C.' 

CVj 

o> 

CO 

•> 

•s 

t'-- 

20 

o 

ro 

Lf\ 

_v 

O 

Lf\ 

o 

ir> 

8 

8 

o 

o 

t- 

vo 

u\ 

C— 

o 

lO 

iT\ 

at 

r>  g 

P  2 


3  VC  CO  <7\  O  H  CM  on  !TV  VO  O  H  ro 

H  H  r- :  H  W  OJ  IV  CV  (X  <U  CO  ro  CO 


£ 


$ 

as 

X) 

3 

a 

o 

•H 

■p  f 

•rl 

(0 

o  • 

& 

•31  5 

CO  * 

*  * 


330 


mm 


ISikMia 

ImiiM 

■  ■■■M  ft 


mm 

pmiiiuiinil 

kimmmimiiui 


iiiiiiimimnmnii 

iaaaaaaatMiaaaataaaaai 

HiniiiimiiiiiMmi 

■iiaaiaaanaai  uiaai 


till 

mi 


Hill 

IIUI 


liny 

fiaaaai 

iiniin 


!!!!! 

■iiim 

liifffliiiiiiaiiiiiRifliiiiiaaau 
aSaaaaaaaaaaaaaaaaaaaaiaaaaaal 
aalaaaaaaaaaaaaaaaaaaaaaaaaaagl 
■aapiuminaiiuiHniinBa 


ilium 

iiiniin 


:a!gasgwea:;sa:s:i: 

wBaMia— — — 

Kasaas^saagaiBii;; 


|i:na 

l:::» 

l=s=sa 


utni 

ibt» 

Mil 


■iraa  non 


l-*S=Xt*SS3ESSS3 


amrim  i mmi  mini kh  il _ 

iaiiaiiiiiiiaaBiiiiiifeimitilVtii«iaaiBiBiaiiiBiiiBw 


R 111111111111111111 

M  ■■■■■■■■■■■■■*•■■■ 
n  itMMMMniMRtW 

mm  immmmummmmmmmmmhmmi 

mm 

^MMMMMaaaaaiK 


mmumuiaunuuiitiMiii 

iiiuuiiHniiniaiiiuiiiiii 

m-a  teaxsxe 


nmmmrn 


iKannisissiHaliilSI 

itu:: 

|:k::  «:■ 

|:n»  »:n:::Mtr»!sai!ii 

l:::sa  :u::::nscc3i3aaBs 


luaiiiyyii 


BUIKIfl 


waei* »** 

hi  iHHiiSSB 

lss:s!  ISaSiiMiKHiKBnaBBlfllBgi 

s»3i:wu:::i»maaHi 

u:i::::t:tnnmauai 

I;:ki  i::s:3:i:iiuiinnsnai 

lr2X3»  l*£C2S3;;KBEEja. 

iiiiiiiimyyinl 


iaaa*3**as5Si 

ii  13  an  iaibs:  ■ 


n 


lh==§  :lliiiil§i»»8ilSi 
HHilfiHIIHII 

IcmiimMmmmmmmmmmi 


imiiniiyii 

iiiiiiiiiiHii 

iiiiiiiiimiii 

aiimiimiail 
■  ■<*■■  m  ■■■■■mb 

i*bw an  win?®* a*  »ib 
I  mm  m  m  m  ats  ■  a  «»[ 

iiii 


liitHiliifl 

■imsnnsi 

imniiBsi 

liunitira 

Saaca«iit=3a 
■  BininiH 


innum 

Ikiiiiiil 

Sfa»l8l!SI 

mtiinsi 

limiitmi 

iunust£;i 


331 


In  particular,  these  gage  points  would  not  be  instrumented  in 
proof  testing  the  tanks  of  successive  production  vehicles. 

In  general,  engineering  judgment  should  be  used  to  instru¬ 
ment  the  suspected  weakest  locations  of  the  structure  being 
evaluated  by  destructive  testing.  The  instrumental  traces  are 
then  examined  for  yield  points.  The  locations  for  which  yield 
points  appear  should  be  instrumented  during  future  structure 
reliability  proof  testing  of  production  items.  Reliability  of 
the  individual  vehicle  structures  may  then  be  calculated. 

Further  comments  chis  approach  are  presented  in  Section  9. 

Transition  Stringer  Reliability 

Through  similar  considerations,  again  using  suppositional 
data  in  order  to  provide  a  ready  example  (Table XVI),  the  case  is 
considered  in  which  too  few  data  are  available  for  fitting  extreme 
value  functions.  For  such  a  case,  a  graph  like  Table  II  In 
Reference  7  (which  is  based  on  normal-curve,  or  Gaussian,  proba¬ 
bility  theory)  may  be  developed.  It  is  recommended  that  sample 
sizes  from  3  to  7  be  included  in  this  graph  at  65$  statistical 
confidence,  and  that  the  graph  be  extented  to  6  nines. 

The  reason  for  suggesting  that  a  confidence  level  should 
automatically  be  imposed  is  that,  for  so  few  tests,  statistical 
accidents  of  sampling  can  occur  with  unacceptable  frequency 
unless  so  controlled.  The  reason  for  recommending  65#  confidence 


332 


TABLE  XVI 


TRANSITION  STRINGER 


Failure  Stress  Design  Load  x  10"3  *Yield  Point  x  10"3 


Moment (in -lb ) 


M0  =  787.5 


1,217.7 
1,261.0 
1,292.1 
5C  =  1256.93 

S  =  37.4044 
K  =  12.55 
R  »  >>  .9999** 


Axial  Load  (LB) 


Ao  =  123.9 


250.0 

262.5 

273.9 

JC  =  262.13 
S  =  11.9542 
K  =  11.56 
R  =  >>  .9999** 


♦Suppositional  data  only. 
**cf  Reference  7,  Table  II. 


333 


is  that  binomial  and  exponential  models  result  in  the  same— ^relia¬ 
bility  estimate  from  the  same  test  data  at  a  confidence  level 
between  62$  and  63$  (imposing,  thus,  a  lower  limit  on  the  most 
suitable  confidence  level),  while  on  the  other  hand  all  feasible 
information  should  be  drained  from  these  few  and  expensive  data 

(imposing  an  upper  limit).  For  more  than  7  points,  extreme  value 

4/ 

curve  fitting  is  deemed  potentially  more  accurate.— 

Stringer  members  of  the  Ablestar  transition-stage  structure 
have  a  torque  design  load  Mq  =  787,500  inch-pounds.  From 
suppositional  data,  provided  in  Table  16  to  permit  presentation 
of  an  example  of  Gaussian -model  analysis,  it  is  calculated  that 

X  -  M 

K  -  0  =  12.55  >  8. 

O 

Since  the  mean  yield  point  (calculated  for  the  3  suppositional 
tests  by  methods  like  the  knick-point  determination  discussed 
earlier)  is  more  than  8  standard  deviations  above  the  design  load, 
any  possible  unreliability  may  be  ignored  in  accordance  with  the 
suggestions  in  Reference  12.  In  other  words,  structural  relia¬ 
bility  against  this  failure  mode  is  estimated  conservatively  to 
be  insignificantly  less  than  unity  and  will  be  taken  as  unity. 

Note  that  the  standard  deviation  was  estimated  using  N-l  as  a 
divisor  (small-sample  estimator). 

3  / 

—  Provided  no  failures  occur  during  test. 

4/ 

—  However,  it  is  conceivable  that  more  than  7  structural  readings 
which  are  not  maxima  of  sets  could  be  analyzed  by  the  Gaussian 
stress-strain  technique. 


334 


Stringer  Reliability  Under  Compression  During  Boost 


Similarly,  Table  XVI  provides  the  calculations  from 
suppositional  axial-load  tests  of  3  stringers  which  show  the  test 
mean  to  be  mere  than  8  standard  deviations  above  the  design  load 
Aq  =  123,900  pounds.  Therefore,  structural  reliability  againBt 
this  failure  mode  also  will  be  taken  as  unity.  Combining  the 
results  obtained  above  produces  (by  product  rule)  a  total 
structural  reliability  of 

=  (.999985) (1.000000) (1.000000)  =  .999985 

O 

Rs  =  .9999. 

Alternative  Techniques 

For  structures  which  are  simple  in  the  sense  that  the  distri¬ 
bution  of  mission  stresses  throughout  the  structure  can  be  deter¬ 
mined  analytically,  strain  data  can  be  related  to  stress  by  methods 
like  those  in  Reference  15.  If  strengths  of  all  materials  are  known 
and  can  be  used  to  obtain  the  structural  strength  of  each  member 
against  all  significant  failure  modes,  it  may  in  some  cases  be 
possible  to  determine  reliability  by  propogating  the  sample-to- 
sample  variance  in  yield  points  into  the  variance  parameter  of 
the  density  function  of  the  yield  points. 

For  complex  structures  for  which  suitable  stress-distribution 
equations  and  other  performance  equations  can  be  developed 
explicitly  in  compatible  transfer-function  form,  a  combination  of 
the  methods  in  Reference  13  (for  environmental  stress  effects) 
and  14  (for  probabilistic  determinations)  should  be  developed. 


335 


8.0  Model  Exercise 


It  1b  now  possible  to  evaluate  the  elements  of  the  Dependa¬ 
bility  matrix  by  substituting  the  parameter  estimates  made  in 
Section  7.0  in  the  models  presented  in  Section  5.0. 

The  several  probabilities  determined  in  Section  7.0  are 
summarized  below. 


Parameter 

Probability 

Rp 

.9764 

RP 

.9822 

rf 

.9865 

K 

.9919 

% 

.9964 

Rs 

.9999 

RSafety  &  Arming 

.9982 

The  models  presented  earlier  will  first  be  evaluated, 
including  the  effect  of  the  Safety  and  Arming  device  in  the 
d^  element 

d  =  R  R  R  R_  R  . 

11  PROS  S+A 

=  (. 9764) (. 9865) (.9964) f.9999)(. 9982) 

-  .9579 


336 


I  =  R'  R'  R  R  -  d 
12  P  P  0  S  11 

=  (.9822) (.9919) (.9964) (.9999)  -  .9579 

=  .9706  -  .9579 

=  .0127 


d13  1  ^dll  +  d12^ 

=  1  -  (.9579  +  .0127) 
=  .0294 


^22  RP  KP 


*0  RS 

=  ( . 9822 ) ( . 9919 ) ( . 9964 ) ( . 9999 ) 
=  .9706 


d23  =  1  ”  d22 
=  1  -  .9706 
=  .0294 

The  resulting  matrix.,  then,  is: 


M- 


0.9579  0.0127  0.0294 
0  0.9706  0.0294 

0  01. 0000 


This  result  can  then  be  employed  in  conjunction  with  vectors 
for  Availability  and  Capability  as  demonstrated  in  previous 
examples . 


337 


9 . 0  Additional  Comments  ••  Structural  Reliability 


The  calculation  of  structural  reliability  Is  recommended  for 
those  areas  where  any  substantial  compromise  with  reserve  strength 
has  been  necessary  in  order  to  increase  vehicle  performance  within 
prescribed  weight  limitations  or  similar  constraints.  It  is  also 
recommended  where  new  departures  in  structural  design  transcend 
the  availability  of  solid. engineering  experience  with  safety 
margins.  Within  the  current  practice  of  providing  adequate, 
solidly  based  engineering  safety  factors  to  well  analyzed  structures 
of  known  characteristics,  however,  structural  reliability  may 
customarily  be  taken  as  unity. 

Because  of  this,  programs  may  often  be  funded  under  restric¬ 
tions  that  prevent  extensive  application  of  expensive  structural 
tests,  without  which  the  variability  data  necessary  for  statistical 
appraisal  of  the  risks  of  structural  failures  during  mission 
operations  (structural  unreliability)  cannot  be  assessed.  Con¬ 
sequently,  it  is  appropriate  to  exemplify  two  structural  cal¬ 
culation  models,  one  for  proper  statistical  analysis  based  on 
extreme-value  theory,  and  the  other  for  statistical  control  of 
the  structural  risk  when  data  are  insufficient  for  proper  analysis. 
The  general  theory  of  extreme  values  of  structural  strain  is  dis¬ 
cussed  briefly  below,  with  references.  The  two  examples  pre¬ 
sented  in  Section  7.4  illustrate  these  approaches. 


338 


For  structures,  only  two  states  are  considered,  namely,  not 
failed  and  failed.  There  is  at  least  a  third  state  in  which  a 
yield  point,  or  elastic  limit,  of  a  structural  member  has  been 
exceeded  without  mission  degradation.  However,  state-of-the-art 
data  are  not  expected  to  suffice  for  useful  conclusions  as  to 
reliability  within  this  marginal  region. 

9 . 1  Extreme  Value  Approach  to 
Evaluation  of  Structure 

Application  of  the  extreme  value  theory  to  the  validation  of 
structural  designs  gives  the  analyst  a  significant  tool  in  the 
assessment  of  test  results  of  various  structural  members.  In 
turn,  it  provides  a  basis  for  prediction  of  the  reliability  of 
individual  components  or  structural  members.  It  is,  therefore, 
an  important  ancillary  method  for  the  Safety  Margin  Analysis  Theory. 
Preliminary  considerations  given  to  the  application  of  the  extreme 
value  theory  indicates  that  it  can  provide  means  for  rapid  graphical 
analysis  of  the  best  results  and  give  valid  results  on  which  to 
derive  significant  engineering  conclusions. 

The  strength  of  materials  in  engineering  has  been  always  an 
important  design  criterion.  The  growth  of  statistical  methodology 
provides  important  means  to  further  refine  and  sharpen  the 
analytical  and  design  considerations  of  equipment  structures.  For 
example,  for  observations  based  upon  strength  of  materials,  if  the 
ratio  s  :x  is  increased  from  5$  to  where  s  is  standard  deviation 


339 


from  measurement  and  x  Is  mean  strength,  then  the  failure  rate 
Increases  by  a  factor  of  50,  approximately  once  in  500  observa¬ 
tions.  '  Hence,  the  scatter  in  ultimate  strength  should  be  con¬ 
sidered.  See  Figure  5- 

Increased  scatter  can  be  caused  by  three  sources:  (l)  The 
material  and  surface  conditions  of  the  specimen;  (2)  Errors  in 
the  nominal  loads  of  the  testing  machine;  and,  (3)  Environmental 
changes.  (l)  and  (2)  imply  that  the  machines  or  specimens  are  not 
homogeneous.  (1)  could  also  indicate  that  the  stress  levels  of 
the  test  are  not  sufficiently  separated  as  may  occur  in  the  case 
when  observations  may  be  assigned  to  the  wrong  stress  level. 
Increased  scatter  can  be  caused,  for  example,  by  increasing  the 
temperature  of  the  material  at  different  intervals  of  time  during 
its  application. 

The  scatter  Is  a  function,  therefore,  of  the  sample  size  and 
provides  realistic  protection  in  structural  validation. 

A  good  book^  treating  the  subject  contains  an  article  con¬ 
tributed  by  E.  J.  Gumbel  called  "Statistical  Estimation  of  the 
Endurance  Limit,  An  Application  of  Extreme-Value  Theory."  Gumbel 
defines  the  probability  of  survival,  l(x),  which  is  the  same  as 
reliability,  and  plots  a  family  of  l(x)  curves  on  S-N  axes.  See 
Figure  6.  Stress  is  S  and  the  number  of  cycles  is  N.  These 
curves  are  plotted  in  logarithmic  space. 


f 


Strength  -  £  Limit  Load 

FIGURIC  r) 

ULTIMATE  STRENGTH  AS  A  FUNCTION  OF  - 

x 


3 


The  curves  are  based  on  fatigue  tests  where  the  variables  of 
interest  were  minimum  life,  true  endurance  limit,  endurance  limit, 
and  probability  of  permanent  survival. 

Preundenthal  has  also  done-  some  extensive  work  in  applying 
extreme  value  theory  to  repeated  and  ultimate  load  to  improve  the 
reliability.  He  suggests  that  a  more  rational  basis  for  selection 
of  safety  factors  should  be  based  upon  the  concept  of  probability. 
His  article,  "Safety,  Safety  Factors  and  Reliability  of  Mechanical 
Systems,"  is  published  in  (10). 

In  this  method  scatter  is  a  function  of  the  sample  Bize,  N. 
This  method  clearly  points  out  the  "3s"  fallacy  commonly  used  by 
test  engineers.  The  3s  method  assumes  that,  no  matter  how  large 
the  sample  size  becomes,  the  risk  that  Some  member  of  the  sample 
will  exceed  3  standard  deviations  stays  constant.  However,  this 
is  not  the  case.  The  scatter  (i.e.,  sample  range)  always  tends 
to  increase  as  more  samples  are  taken.  Also,  the  width  of  the 
confidence  interval  becomes  wider  for  probabilities  that  approach 
one.  Thus,  the  extreme  value  is  a  good  indicator  as  to  the  over¬ 
estimation  or  underestimation  achieved  by  the  assigned  safety 
factor  used  in  the  design  of  a  given  structure. 

Consider  N  random  observations  X^,  X£,  ....,  X^  that  are 
rearranged  in  descending  order  of  magnitude  and  denoted  by 
X(i),  x(2)»  ••••»  x(n)’  We  assume  these  observations  are 


v 

4 


343 


from  the  following  cumulative  distribution  function  (cdf): 

-e  -y 

F^y )  =  e  ,-eo<y<+oo 

v/here  y  is  the  reduced  variate  defined  by: 


y 


and  where  9^  is  the  location  parameter  and  92  is  the  scale 
parameter. 


Now  let 


-y 


P  =  e  --------  -  -(equation  A) 

where  P  is  defined  as  1  -  for  smallest  value  theory  and 

where  1  is  the  ith  ordered  observation.  The  range  of  this 


where 


cumulative  distribution  ‘'unction  Is  (  ^  STT* 

approaches  unity  as  N  becomes  large.  Talcing  double  logarithms, 
y  =  -lnn  [  -lnn  p] 

^  j 


We  now  have  the  line : 

X  =  9i  +  92  y 

which  is  plotted  on  extreme  value  probability  paper.  92  is  the 
slope  of  the  line  and  9^  is  the  intercept.  The  slope  indicates 
the  scatter  of  the  observations.  The  shallower  the  slope,  the 
greater  will  be  the  scatter. 


By  extrapolating  the  line,  the  model  gives  us  protection 
against  the  weakest  link  in  any  furure  observed  specimens.  For 


344 


for  K  future 


example,  we  can  find  the  smallest  value,  X(^+K)' 

observations  by  extrapolating  the  line  to  a  value  that  corresponds 

to  the  cumulative  probability  distribution  of  P  =  1  -  - =  — i__, 

N+K+l  N+K+l 

However,  the  width  of  the  confidence  interval  becomes  larger  as 
K  increases.  This  seems  reasonable  because  the  uncertainty 
increases  for  statements  on,  say,  the  billionth  extreme. 


9.2  Practical  Considerations 

As  pointed  out  in’ the  discussion,  the  problem  is  to  devise 
a  structural  validation  method  which  combines  minimum  safety 
factor,  designer-' s  judgment,  lifetime  history,  and  conditions. 

To  emphasize  the  powerful  flexibility  of  extreme  value  theory 
this  example  looks  at  one  test  performed  on  a  spherical  tank, 
where  comparisons  are  made  on  strain  gage  readings  by  looking  at 
three  particular  pressures  of  the  test;  namely,  burst,  proof,  and 
working  pressures. 


The  proof  pressure  wa3  chosen  before  the  test  by  the  fol¬ 
lowing  method: 

Proof  Pressure  =  (safety  factor)  x  (working  pressure)  where 

the  safety  factor  was  taken  as  1.1,  hence 

working  pressure  =  4400 

proof  pressure  =  4840. 

It  turned  out  that  the' burst  pressure  was  6077.  Looking  at  the 
largest  of  the  extremes  of  these  three  lines  it  can  be  seen  that 
burst  occurs  well  above  the  proof  pressure  line.  The  designer's 
safety  factor  appears  to  be  a  very  safe  value  based  upon  the 
results  of  this  one  test. 


345 


If  more  tests  were  taken  independently  and  plotted  in  a 
similar  manner,  then  from  the  variance  and  mean  (i.e.,  from  the 
parameters  in  the  extreme  value  distribution)  the  lines  corre¬ 
sponding  to  the  level  of  protection  can  be  drawn  if  it  is  assumed 
that  the  positioning  of  the  strain  gages  on  the  sphere  does  not 
influence  the  reading  for  any  particular  sphere.  This  is  one 
reason  why  more  tests  should  be  taken,  because  then  the  various 
strain  gage  populations  can  be  separated  by  ranking  procedures 
in  the  theory  of  order  statistics.  In  most  cases  this  would 
substantiate  the  test  engineer's  choice  in  placing  the  strain 
gages. 

Figure  7,  graphed  from  the  data  in  Table  ’Til,  shows  that  the 
readings  of  these  thirty-one  strain  gages  from  this  one  test  should 
be  separated  Into  more  than  one  population.  The  physical  match 
would  be  that  many  of  the  gages  are  far  below  the  critical  point 
when  the  burst  occurs.  The  graph  3how3  that  a  minimum  of  13#  of 
the  gages  belong  to  another  population.  After  this  separation 
the  variance  would  decrease  and  the  mode  would  increase. 

In  the  graph,  since  the  burst  line  is  much  higher  than  the 
proof  line  above  the  working  line,  the  designed  safety  factor  is 
adequate.  The  fact  that  three  strain  gages  were  very  high  makes 
the  others  suspect.  This  burst  line  would  be  an  upper  limit  for 
this  test,  and  can  be  assigned  a  reliability  of  zero  (i.e.,  the 


346 


TABLE 


.yji 

ORDERED  STRAIN  READINGS 


Strain  at 

Strain  at 

Strain  at 

i 

3? 

i 

Burst 

Proof 

Working 

Pressure 

Pressure 

Pressure 

1 

4343 

3347 

3491 

3028 

.031 

2 

4548 

3124 

.063 

3 

4824 

3542 

3220 

.094 

4 

4903 

3722 

3399 

.125 

5 

5017 

3761 

3434 

.156 

6 

5065 

3814 

3450 

.188 

7 

5211 

3847 

4010 

3501 

.219 

8 

5239 

3588 

.250 

9 

5601 

4053 

3656 

.281 

10 

5682 

4094 

3685 

.313 

11 

5747 

4111 

3712 

.344 

12 

5769 

4l60 

3722 

.375 

13 

14 

5845 

5897 

4177 

4208 

mi 

.406 

.438 

15  . 

5931 

4255 

3846 

.469 

16 

5952 

4338 

3858 

.500 

17 

5992 

4348 

3925 

.531 

18 

6004 

4362 

3926 

.563 

19 

6016 

4370 

3940 

.594 

20 

6023 

4390 

3940 

.625 

21 

6032 

4434 

4002 

.656 

22 

6227 

4555 

4108 

.688 

23 

6237 

4651 

4224 

.719 

24 

6266 

4730 

4310 

.750 

25 

6427 

4907 

5008 

4432  — 

.781 

26 

6494 

4499 

.813 

27 

6798 

502C 

4553 

.844 

28 

7861 

5038 

.375 

29 

9460 

5068 

.906 

30 

5232 

.938 

31 

5375 

.969 

f 


line  of  sure  failure).  More  tests  would  give  the  variance  of  this 
sure  failure  line  and  the  3-S  limits  of  this  sure  failure  line 
must  not  intersect  the  3-S  limits  of  the  working  line. 

Analysis  by  Calculation  and/or  Graphing 

As  explained  in  the  discussion  of  the  method  of  analysis, 
rapid  results  of  analysis  can  be  achieved.  Moreover,  this  method 
affords  graphical  means  of  analysis  which  provides  the  designer 
the  additional  assurance  of  confirming  his  own  engineering 
experience . 

For  N  4.  18,  the  Type  I  extreme -value  function  should  be 
fitted  by  a  computer  program  using  modified1^  least-squares 
equations,  and  checked  by  graphing.  Graphical  solutions  may  be 
feasible  for  larger  samples.  For  extreme -value  calculations  and 
graphing,  the  maxima  (or  minima)  used  as  observations  are  ordered 

1.U 

in  size,  and  the  j  cumulative  frequency  is  determined  by  the 
formula, 

pj  -  nil’  J  -  2.  3,  — N. 


349 


BIBLIOGRAPHY 


1 .  Revised  Reliability  Analysis  of  The  Ablestar  Stage, 

Space-General  Corporation,  Report  No.  1 1 1R-6,  April 

1963  (Contract  AF  04(695) -95) 

2.  Earles,  D.  R. ,  Reliability  Growth  Prediction  During  The 
Initial  Design  Analysis,  in  Proc.  7th  National  Symposium  on 
Reliability  and  Quality  Control,  January  1961,  (pp.  380-398). 

3.  Reed,  A.,  Survey  of  Component  Part  Failure  Rates,  Aerospace 
Corporation  Report  1923-I-69. 

4.  MIL-R-27542  (USAF)  Reliability  Program  Requirements  for  Aero¬ 
space  Systems,  Subsystems  and.  Equipment,  2b  June  1961  as 
amended. 

5.  Doshay,  I.,  H.  L.  Shuken,  Reliability  Prediction  Through  Time 
Stress  Analysis,  7th  Military -Industry  Guided  Missile  and  Space 
Systems  Reliability  Symposium,  San  Diego,  Calif.,  June,  1962. 

6.  Design  Criteria  for  Electronics  Parts,  Reliability  Bulletin 
No.  0-6B,  Lockheed  Missile  System  Division,  12  October  i960. 

7.  Bombara,  E.  L. ,  Reliability  of  Compliance  with  One-Sided 
Specification  Limits  When  Data  Is'  Normally  Distributed,  ARGMA 
TR  2BIR,  1$  September  l$6l. 

8.  Bouton,  I.  Statistical  Structural  Design  Criteria,  Amer.  Rocket 
Soc.  Launch  Vehicles  Structure  and  Materials  Conference, 

April  1962. 

9.  Sarhan,  A.  E.  and  B.  G.  Greenberg  (Ed.),  Contributions  to 
Order  Statistics,  Wiley,  1962. 

10.  Bogdanoff,  J.  L.  and  F.  Kozin,  Proceedings  of  the  First 
Symposium  on  Engineering  Applications  of  Random  Function 
Theory  and  Probability,  Wiley,  1963. 

11.  Lunde  and  Simon,  Report  of  Structural  Testing  of  Components 
for  Second  Stage  Ablestar,  Aerojet-General  Report  1907* 

December  I960. 

12.  Lusser,  R. ,  Reliability  Through  Safety  Margins,  USAOMC 
Publication,  October  1958. 


350 


13.  Do shay.  I . ,  et  al,  Development  of  an  Analytical  Model  for 

Environmental  Resistance  Inherent  in  Equipment  J Project  ERIE) 
RTD -TDR-63-4101,  January  1964.  * 

14.  Bosinoff,  I.,  et  al*  Transfer  Functions  in  Mathematical 
Simulation  for  Reliability  Prediction,  RADC-TDF.-b3-»7, 

30  January  19^3  „ 

15.  Haynes,  J.  S. ,  Hydrostatic  Proof  and  Burst  Test  of  Helium 
Pressure  Tank,  SGC  Report  265FR-14,  March  19b4. 

16.  Lieblein,  J.  R. ,  A  New  Method  of  Evaluating  Extreme  Value 
Data,  NACA  TN  3053*  January  195^ 

17.  Gumbel,  E.  J.  ;  Statistical  Theory  of  Extreme  Values  and  Some 
Practical  Applications,  U.  S.  Department  of  Commerce,  National 
Bureau  of  Standards,  Applied  Mathematics  Series,  February  1954. 


351 


appgiidix  i 


A  MODEL  FRAMEWORK 
FOR  SYSTEM  EFFECTIVENESS 


February  1964 
(Revised  July  1964) 


Prepared  for 

Weapon  System  Effectiveness 
Industry  Adv: sory  Committee 
Task  Group  IV 

By 

Harold  S .  Balaban 


NOTE:  This  paper  was  revised  in  July*  1964,  with  the 
permission  of  the  author.  The  revision  repre¬ 
sents  changes  in  terminology  and  notations  only. 
The  revised  paper  is  now  in  agreement  with  the 
notation  and  terms  employed  by  Task  Group  II. 

Specifically,  the  transition  matrix  is  denoted 
.  .  .  .by  D,  rather  than  R;  and  the  capability  vector 

(previously  called  Design  Adequacy)  is  denoted 
by  C  rather  than  D. 


ARINC  Research  Corporation 
a  subsidiary  of  Aeronautical  Radio,  Inc. 
1700  K  Street,  N.  W. 
Washington,  D.C., 20006 


352 


A  MODEL  FRAMEWORK  FOR  SYSTEM  EFFECTIVENESS 


y 


Prepared  for  the  Weapon  System  Effectiveness  Industry  Advisory 
Committee,  Task  Group  IV  by  H.  Balaban,  ARINC  Research 
Corporation,  February  1964. 

1.  INTRODUCTION 

The  model  framework  for  system  ef  f  ectiver\ess  that  is 
summarized  in  this  paper  was  developed  primarily  for  air¬ 
craft  systems;  application  to  other  system  types  will,  for 
many  cases,  be  quite  direct.  The  approach  used  for  quantify¬ 
ing  a  probabilistic  or  expected-value  figure  of  merit  for 
system  effectiveness  is  based  on  matrix  representation  of 
system-state  probabilities  which  may  be  analyzed  through  the 
theory  of  Markov  chains. 

The  framework  will  be  developed  through  first  considering 
a  probabilistic  figure-of -merit  for  a  system  for  which  there 
exists  just  a  single  performance-point  in  time.  This  restric¬ 
tion  is  then  relaxed  to  include  a  finite  number  of  such  points. 
This  vector  of  discrete  performance  points  is  then  extended  to 
one  which  contains  discrete  performance  intervals.  The  final 
extension  is  consideration  of  an  expected  value  figure-of -merit. 
Sub-models  for  quantifying  some  of  the  required  inputs  to  the 
overall  model  are  also  discussed. 


2.  BASIC  ASSUMPTIONS  AND  CONDITIONS 

(1)  Aircraft  systems  with  a  known  mission  length  are 
considered.  After  mission  completion,  facilities  are  avail¬ 
able  for  performance  of  maintenance  actions. 

(2)  Units  in  the  system  can  be  classified  into  two 
states  --  success  or  failure  --  in  consonance  with  the  usual 
definition  of  reliability.  That  is,  a  successful  unit  is 
defined  to  be  one  that  meets  its  design  specification.  Cap¬ 
ability  accounts  for  the  adequacy  of  the  specification  for 
the  mission  under  consideration. 

(3)  The  state  transition  process  is  Markovian;  that  is, 
the  state  of  the  system  at  some  future  time  is  dependent  only 
on  the  present  state  and  future  performance,  and  not  on  how 
the  system  reached  its  present  state. 

(4)  The  system  level  at  which  the  system  states  are 
represented  comprises  only  units  that  are  mutually  indepen¬ 
dent  with  respect  to  their  performance  (output)  and  their 
effect  on  mission  accomplishment  (  capabilities). 


y  Abstracted  from  the  report,  "System  Effectiveness:  Concepts 
and  Analytical  Techniques",  H.  Balaban,  D.  Costello,  ARINC 
Research  Corporation  Publication  267-01-7-419,  under  Air 
Force  Contract  AF  33 ( 657 ) -10594 ,  January  1964. 

353 


3.  SINGLE  PERFORMANCE -TIME  POINT 

Consider  a  system  which  is  to  perform  a  mission  of  t 
hours  duration,  over  which  each  unit  may  be  prone  to  failure. 

At  time  t  all  required  functions  must  be  successfully  per¬ 
formed.  Effectiveness  is  defined  to  be  the  probability  that 
the  system  will  be  "ready"  at  the  beginning  of  the  mission 
and  will  be  able  to  successfully  perform  all  functions. 

The  following  vectors  and  matrices  are  defined,  assuming 
four  possible  system  states. 

V  =  (vi,  v2i  v3>  v4  ), 

where  «  probability  that  the  system  Is  In  State  I  at  time  0, 
the  beginning  of  the  mission; 


where  wi  =  probability  that  the  system  will  be  used  for  the 
mission,  given  State  1  at  time  0; 


Dxi(0'  t)  D-ia(0'  d13(0'  fc)  Du(°.  tf 

,  x  ^  D,J°>  D,J°>  ^  ^ 

r/rv  t-\  _  21  22  23  24 

D  (0,  t)  D  (0,  t)  D  (0,  t)  D  (0,  t)  ' 

31  32  33  34 

D  (0,  t)  D  (0,  t)  0  (0,  t)  D  (0,  t) 

L  41  42  43  44 

where  t)  =  transition  probability  that  the  system 

is  in  State  j  at  time  t,  given  State  I 
at  time  0;  and 


where  =  probability  that  the  i1"1  system  state  will  lead 
to  successful  mission  accomplishment. 


354 


These  vectors  and  matrices  are  characterized  as  follows: 


V  vector  (state  readiness)  -  a  function  of  reliability  on 
previous  missions  and  during  ground  maintenance,  mainte¬ 
nance  diagnostic  and  repair  capability,  logistics  and 
other  ground  support  factors 

W  matrlx(mlsslon  readiness)  -  a  function  of  diagnosis  of 
system  state  (during  alert  phase),  operational  policy, 
system  flexibility,  system  backup 

D matrix  (state  transition)  -  a  function  of  reliability  and 
in-flight  repair  capability 

C  vector  (  capability  )  -  a  function  of  design 
specifications,  mission  requirements,  performance 
capabilities,  external  environment. 

Under  the  basic  restrictions  and  assumptions  given  in 
Section  2,  effectiveness  is  represented  by  the  equation 

E  =  VWVC ,  (Equation  1) 

which,  by  performing  the  indicated  matrix  multiplications, 
yields  the  equation 

4  4 

E  -  I  I  VAjC0'  t)cr  (Equation  2) 

M  i=i 

The  general  term  of  Equation  2  is 

P(State  i  at  t  =  0)-P(system  is  used,  given  State  i  at 
t  =  0)- 

P(state  transition  from  i  to  j  during  the  mission)- 
P(all  required  functions  are  performed,  given  State  j). 


355 


Even  with  the  extreme  simplicity  imposed  on  this  example, 
there  still  remains  the  problem  of  quantifying  the  elements  in 
the  V,  W,  D,  and  C  matrices.  Several  pertinent  considerations 
are  presented  in  Section  7. 


4.  MULTIPLE  PERFORMANCE-TIME  POINTS 


In  this  section  we  relax  the  assumption  that  only  a  single 
performance-time  point  exists.  In  order  to  maintain  the 
discrete-parameter  case  for  purposes  of  simplicity,  we  now 
assume  that  m  performance-time  points  are  established,  t]_, 
t2»....tm,  and  that  t0  is  time  0  and  tm  is  the  mission  length. 
For  each  ti  there  exists  a  set  of  required  functions  [FjJ, 
which  will  generally  vary  with  tj_. 

The  following  matrices  are  now  defined: 


D 


k  •  • 

•  •  • 

•  -  • 

Dsa^ti-i,tl^  •••  ^ss^i-i^ 


where  1  1  i  1  m,  D  jk^i-l’^i)  is  the  probability  of  a  transi¬ 
tion  from  State  j  to  State  k  during  the  interval  (t  t j_) , 
and  s  is  the  total  number  of  system  states.  [Note  that  if 
t^  =  0,  D(tQ.t^)  is  the  identity  matrix.] 


C  (t1) 


O 


356 


where  is  the  capability  of  the  system  at  time  t^ 

if  it  is  in  State  k.  Thec^(t^)  elements  are  thus  related 
to  the  set  of  required  functions  {F.J . 


CL  (t  ) 
nr 

c  (t  ) 
2)  m' 


c  ( t  ) 
s v  nr 


where  ck(tm)  is  defined  in  the  same  manner  as  c^(t^). 

Then  we  have  the  following  equation  for  effectiveness,  E 

m 

E  =  VW  yy  f  D(ti_iJti)c(ti)JJ  (Equation  3) 

1=1 


where  V  and  W  are  as  defined  previously. 

All  comments  made  in  Section  7  pertaining  to 
quantification  of  the  elements  in  the  V,  W,  D,  and  C  matrices 
apply  to  Equation  3  .  The  algebraic  manipulations  for  a 
two-state,  two-time-interval  situation  are  shown  below. 


For  display  purposes,  let 


c 


\  •  n  U) 

c,  (t. )  ana  D 
k  l '  jk 


=  Vb-i 


» t  )  ♦ 


Then  the  equation 

E  =  VW5(t0,t1>C(t1)D(t1,t2)c(t2) 


reduces , 


by  pairwise  matrix  multiplication,  to 


357 


L  x  *=  U 


which  then  reduces  to 


D(i)c'i)dWcW  ■  D(2'c  (2) 


dWcw 


D^c  ^ 
11  'i 


[v  w  D^c  +  v  w  D^c^"1  [d^c^  +  D^c^l 

L  1  lUir  1  2  2  21  1  J*  _  11  1  '12  2  J 

+  Tv  w  D(l)cW  +  v  w  D(l)c  .  \DCs)  C(2)  +  D(2^C  (£»1 
[  1  lu12  2  2  2  22  2  J  *  L  21  1  22  2  J 


d'2V2>' 

12  2 


It  is  noted  that  for  the  case  in  which  there  is  no  in¬ 
flight  repair,  the  matrix  product  =  D (t^.i , t^)c (t .  )  is 

triangular  for  i  =  1,2 . ,m-l,  if  system-state  numbers  are 

assigned  by  the  rule  described  in  Section  7.3.  Then  the 
product 

m-1 

TT  Pi 
1  =  1 

is  also  triangular;  if  programming  advantage  is  made  of  this 
fact,  significant  savings  in  computer  time  can  result. 


5.  MULTIPLE  PERFORMANCE -TIME  INTERVALS 

A  further  extension  would  be  to  relax  the  restriction 
that  functional  performance  is  required  only  at  discrete 
points  in  time.  We  shall  now  consider  a  vector  of  performance- 
time  intervals  T^  which  represents  the  intervals  from  t^  to 

t^  +  Aj_,  where  i  =  1,  2,...,  m.  In  order  to  maintain  a 

discrete-parameter  Markov  chain,  we  shall  assume  that  for 
system  success  no  state  transitions  are  allowed  during  such 
intervals . 

Define  the  matrix  G(Tj[),  which  represents  state  continuance 
as  follows: 


where  c^T^)  represents  the  probability  that,  given  State  k 
at  time  tj_,  no  state  transition  occurs  before  time  t^  +  . 

If  the  intervals  T^,  T2»...f  Tm  can  be  constructed  without 
resulting  in  overlap  in  the  t^'s,  which  might  occur  because 
of  varying  functional  performance-time  requirements,  we  then 
have,  from  Equation  3, 

m 

E  =  W  Tf  [D(t1_l+A1_i,t1)G(T1)C(T1)].  (Equation  4) 
i=l 


For  cases  where  overlap  does  occur,  e.g.,  Function  1  is 
required  for  time-period  0-2,  and  Function  2  is  required  for 
time-period  1  to  3,  it  is  possible  to  obtain  the  value  of 
E(Fj),  the  effectiveness  of  the  jth  function.  Overall  system 
effectiveness  is  then  an  appropriate  combinatorial  function  of 
the  E(Fj). 

6.  EXTENSION  TO  AN  EXPECTED  VALUE  FIGURF-OF-MFRIT 

l 

The  model  for  quantifying  a  probabilistic  figure  of  merit 
for  effectiveness  can  be  extended  to  one  that  quantifies  an 
expected-value  figure  of  merit.  This  extension  is  accomplished 
through  appropriate  modification  of  the  capability  vector. 

Instead  of  defining  cj,.  in  the  Vector  C  to  be  the  prob¬ 
ability  of  mission  accomplishment,  given  the  kth  state,  let 
us  define  in  the  Vector  C'  to  be  some  value  coefficient 
corresponding  to  performance  in  the  k^h  state.  Thus,  for 
State  k,  c  might  be  the  percentage  of  information  return; 
the  expected  target  destruction;  possibly  a  number  on  a  value 
scale  of  0  to  10;  or  some  other  value. 

This  definition  of  the  C'  vector  applies  directly  to  the 
simple  model  given  by  Equation  1  .  For  the  extension  of  the 
model  to  multiple  performance  times,  this  vector  must  be 
mission-time-dependent,  i.e.,  of  the  form  C’  (t^).  This 


359 


requires  that  the  time-dependent  functions  c £ (t^)  have  meaning. 
For  the  examples  given  above,  the  percentage  of  information 
return  might  be  a  figure  of  merit  for  a  reconnaissance  mission 
in  which  information  is  related  to  mission  time  by  depth  of 
penetration  into  enemy  territory.  The  expected  target 
destruction  might  be  time-dependent  if  a  plane  is  to  bomb  more 
than  one  target.  These  examples,  of  course,  are  by  no  means 
complete,  since  some  artificiality  must  be  introduced,  for  the 
discrete-parameter  case. 

We  then  have  the  following  equation:^/ 


J 


E(tj)  =  W  "[J  D(ti_i,t1)c'(tj) 

1=1 


=  W.'D ( to 


(Equation  5) 


where  E(tj)  represents  the  expected-value  figure  of  merit  for 
effectiveness  at  time  t  j .  Assuming  well-behaved  functions,  the 
time  average  of  E(tj)  over  the  mission  length  tm  may  then  be 
used  as  an  overall-effectiveness  figure  of  merit. 

For  the  discrete  case, 

in 

E  =  ^  ^  E(tj).  (Equation  6) 


For  the  continuous  case, 


E 


(r)d 


t. 


(Equation  7) 


Note  that  if  the  value  coef f icient  c ^ (t )  equals  1,  if 
State  k  belongs  to  the  set  of  satisfactory  states  and  c)c(t) 
is  0  otherwise,  Equations  6  and  7  represent  the  expected 
fraction  of  mission  time  during  which  the  system  is  in  a 
satisfactory  state. 

y  C'(tj)  in  this  equation  is  a  column  vector  with  s  rows. 


360 


7. 


QUANTIFICATION  OF  ELEMENTS 


This  section  discusses  means  for  quantifying  elements  in 
the  model  presented  for  a  single  performance-time  point,  Equa¬ 
tion  1.  Extension'  to  the  other  models  is  fairly  direct. 

\ 

7 . 1  Quantification  of  the  State 
Readiness  Victor,  V 


Quantifying  the  v^  could  very  well  involve  a  model  much 
more  complex  than  the  effectiveness  model  to  which  it  is  an 
input.  If  we  consider  the  V  vector  as  one  composed  of  steady- 
state  probabilities  ,2/  the  well-known  formula  for  availability 
or  readiness  can  be  used.  It  is  expressed  by  the  equation 


A  = 


MTBF 


(Equation  8) 


where  MTBF  is  mean  time  between  failures  and  MDT  is  mean  down 
time.  If  we  assume  complete  independence  both  during  main¬ 
tenance  and  during  flight,  we  have 

vx  =  AiAe 

v2  =  A1(l  -  Aa) 
v3  =  d  -  Ax)Aa 
v  =  (1  -  A  )(i  -  A  ), 

where  Aj.  is  the  availability  of  the  unit  (i  =  a  or  b). 

There  exist,  of  course,  much  more  complex  models  for 
quantifying  the  system  state-readiness  parameters.  These 
models  may  involve  such  disciplines  as  queuing  theory,  inven¬ 
tory  theory,  renewal  theory,  and  Markov  processes.  If  the 
steady-state  situation  is  assumed  to  hold,  one  can  use  reli¬ 
ability  theory  to  estimate  MTBF's,  and  the  above  disciplines 
to  estimate  MDT’s  at  the  system  level  for  which  the  independ¬ 
ence  assumption  holds.  It  is  also  possible  that  knowledge  of 
the  interdependencies  at  a  particular  system  level  will  indicate 
the  appropriate  combination  of  unit-availability  parameters, 
thus  obviating  the  need  for  the  assumption  of  independence. 


1/  The  term  steady  state  refers  to  the  limiting  probability 
distribution  of  a  Markov  process  in  which  the  distribution 
is  independent  of  initial  conditions. 


361 


It  is  emphasized,  however,  that  the  readiness  vector  is 
generally  dependent  on  the  D  and  W  matrices  as  shown  by  the 
general  Markovian  equation 

P(tn)  =  P(ti)P(ti,tn)  (Equation  9) 

where  P(tj_)  is  an  unconditional  probability  vector  and  P(t^,tn) 
is  a  transition  probability  matrix.  P(tn)  corresponds  to 
the  vector  at  calendar  time  tn  and  P(tj_,tn)  is  some  function  of 
the  W  and  D  matrices. 

To  view  this  dependence  more  directly,  assume  that  we  are 
considering  states  only  at  the  system  level;  thus  two  states 
are  possible  at  the  beginning  of  a  mission:  success,  S,  or 
failure,  F.  The  following  matrices  are  defined: 


V 


D  = 


Rss  Dsf 
Dfs  D  ff 


The  subscript  s  corresponds  to  success,  and  the  subscript  f 
corresponds  to  failure.  Stationary  transition  probabilities 
corresponding  to  a  constant  mission  length  are  assumed  for 
elements  in  the  D  matrix. 

Assume  that  missions  are  scheduled  to  take  place  at 
calendar  times  tj ,  t2» • • • »tm, . . . ,  which  are  independent  of 
previous  system  performance.  It  is  now  desired  to  obtain  the 
vector  V  for  a  particular  mission.  [Since  Vf  =  1  -  vg,  we 
actually  need  only  find  the  probability  that  at  the  beginning 
of  the  mission  (time  tm)  the  system  is  in  a  successful 
state .  ] 

The  dependencies  now  become  obvious.  Whether  the  system 
is  successful  at  tm  depends  on  whether  it  failed  during  the 

previous  mission.  If-  it  failed,  the  repair  capability  is 

introduced.  Whether  it  failed  during  the  previous  mission  is 

a  function  of  its  state  at  time  t  , ;  etc. 

m-l 

To  obtain  the  state-readiness  vector  at  the  beginning  of 
the  m^h  mission,  Equation  9  can  be  used  if  a  transition- 
probability  matrix,  P( tm_ \ , tra ) ,  can  be  obtained,  where  the 

transition  occurs  from  the  beginning  of  the  (m  -  l)st  mission 
to  the  beginning  of  the  m^h  mission.  This  matrix  is  obtainable 

362 


from  the  W  and  D  matrices,  with  the  addition  of  the  following 
def inition : 


Let  7  =  probability  that  maintenance  will  restore 
a  failed  system  to  a  successful  state. 

Note  that  in  the  transition  matrix  that  follows,  since  W 
and  D  are  assumed  to  be  stationary  transition  mechanisms  and  7 
is  not  a  function  of  time,  P  is  also  a  stationary  transition 
matrix : 


PS3  -  ws'Dss  +  Daf>') 

psf  - 

+(l-ws) 

pfa  "  wf(Dfs  +  DffV> 

prf  =  wr  Dff  C1  ■ 7  ) 

+(l-wf  )7 

+(l-wf)(l-7) 

If  the  initial  condition  at  t^  is  V(t^)  =  [p,  q] ,  where 
q  =  1  ■■  p,  from  Equation  9  we  have 


v(t2) 


=  vCtJPCv,  t2) 

=  [P,  q] 

=  [PP3S  +  qPfS'  pPSf  +  qPff]  ; 


P  0  Pef. 
ss  sf 


Lpfs  pffj 


and , 


v(tj  =  v(tjp(t2,  t3) 


“  tpPss  +  qPfs’  pPsf  +  qPff^ 


p  p 
rss  sf 


p  p 
fs  rff 


and  the  recursion  is  established. 

Since  we  are  considering  a  finite  transition  matrix  with 
stationary  transition  probabilities,  we  can  employ  the  equation 

II  =  nP(t,t+A),  =  1.0  (Equation  10) 

i 

to  obtain  the  steady-state  vector  or  stationary  distribution 

of  the  system  states  at  mission  start  time.  Let  tt  and 

JTf  represent  the  steady-state  probabilities  of  the  success  and 


363 


failure  states,  respectively.  Then,  from  Equation  10, 
(a)  7i rs  =  TTg  Pss  +  7rf  Pfs, 

and 


(b)  t rf 
Since  =  i 


=  ^s  psf  +  Tf  Pff- 
-  t rs,  we  have,  from  (a) 


^s  =  Ts  pss  +  Pfs  -  ^s  pf 


s » 


or 


^s  = 


fs 


Psf  +  Pfs 


and 


r Tr  - 


sf 


Psf  +  Pfs 


(Equation  11) 


(Equation  12) 


tts  and  tt£  can  then  be  expressed  in  terms  of  y  and.,jthe  elements 
of  the  W  and  D  matrices. 

Note  that  Equations  11  and  12  hold  for  any  system  for 
which  the  stationary  transition  mechanism  exists  and  for  which 
the  S-F  classification  is  made.  The  quantification  of  the 
transition  probabilities  will,  of  course,  vary  for  different 
systems  and  missions.  - 

It  is  possible  to  employ  similar  techniques  at  the  unit 
level.  However,  as  the  number  of  units  increases,  the  number 
of  system  states  increases  geometrically  and  mathematical  and 
computational  complexity  becomes  a  serious  problem.  One 
•approach  often  employed  is  to  use  simulation  models  in  con¬ 
junction  with  inputs  obtained  through  lower  level  analytical 
models  to  obtain  the  state  readiness  vector. 


7.2  Quantification  of  the  Mission- 
Readiness  Matrix,  W 

The  elements,  w^,  in  the  mission-readiness  matrix  are  the 
conditional  probabilities  of  using  the  system  for  a  particular 
mission  if  the  system  is  in  the  i*h  state.  Thus,  unlike  the 

364 


Vi,  ,  which  are  independent  of  the  next  mission  to  be  performed 
(the  vi  might  depend  on  the  previous  missions),  the  are 
generally  dependent  on  the  next  mission. 

Secondly,  the  elements  depend  on  the  maintenance  and 
checkout  procedures  and  capabilities.  Normally,  a  plane  that 
that  has  returned  from  a  mission  will  be  checked  out,  and 
required  maintenance  will  be  performed.  ■  It  is  possible,  for 
example,  that  a  plane  which  has  successfully  completed  a  mission 
will  experience  an  equipment  failure  during  landing;  this  fail¬ 
ure  would  classify  the  system  in  an  unacceptable  state  (the 
corresponding  w^_  =0).  Because  of  the  previously  successful 
mission,  however,  perhaps  only  cursory  maintenance  functions 
are  performed  and  the  equipment  failure  remains  undetected. 

Then  the  plane  is  incorrectly  though  to  be  in  an  acceptable 
state. 

These  two  major  factors,  mission  dependence  and  the  main¬ 
tenance  and  checkout  capabilities,  lead  to  the  following 
mathematical  decomposition  of  the  elements  of  the  W  matrix: 


=  P[use  system  [State  i] 

=  V  P[use  system  [think  State  j]  P  [think  State  j  [State  1)  . 
J  (Equation  13) 


The  first  conditional  probability  under  the  summation  is 
primarily  dependent  on  the  mission  to  be  performed,  while  the 
second  is  primarily  dependent  on  maintenance  and  checkout 
capabilities. 


7. 3  Quantification  of  the  State- 
Transition  Matrix,  D 

It  is  first  noted  that  for  the  basic  model  under  consid¬ 
eration,  the  d  matrix  represents  state  transition  during  the 
mission.  As  shown  in  Section  7.1,  the  D  matrix  is  just  one 
of  the  inputs  for  obtaining  the  state-transition  matrix  between 
missions . 


The  simplest  (and  not  wholly  unrealistic)  case  to  consider 
under  the  basic  model  is  to  assume  that  no  in-flight  repairs 
or,  more  generally,  no  restorations  of  failed  units  to  success¬ 
ful  states  are  possible.  Then  the  in-flight  state  transitions 
are  wholly  dependent  on  the  reliability  parameter.  A  transi¬ 
tion  from  a  state  with  k  failed  units  can  be  made  only  to 
states  with  (k  +  1)  or  more  failed  units. 


365 


For  computational  purposes,  the  following  scheme  for 
assigning  state  numbers  is  suggested: 

Represent  a  state  by  a  code  consisting  of  0’s  and  I's, 
where  0  represents  unit  failure  and'  1  represents  unit  success. 
Thus,  101  represents  the  system  state:  Unit  1  successful, 

Unit  2  failed,  and  Unit  3  successful.  These  system-state  codes 
are  then  equivalent  to  binary  numbers,  and  the  s.ystem-state 
numbers  to  be  assigned -are  then  the  equivalent  decimal  numbers 
plus  one,  so  that  the  last  state  number  equals  the  number  of 
states.  Thus,  if  there  are  three  units,  there  are  23  =  8 
system  states,  and  the  state  codes  and  numbers  are  as  follows: 


State 

Code 

State 

Number 

State 

Code 

State 

Number 

000 

1 

100 

5 

001 

2 

101 

6 

010 

3 

no 

7 

on 

4 

111 

8 

The  reason  for  this  particular  scheme  is  that  for  the 
assumption  of  no  in-flight  repairs,  the  R  matrix  is  triangular 
--  a  computationally  useful  property,  since  all  elements  above 
the  diagonal  are  zero.  The  triangular  matrix  occurs  because 
it  is  not  possible  to  go  from  State  i  to  State  j  for  i  <  j, 
since  such  transition  would  presume  that  a  failed  unit  was 
restored  to  operating  condition  either  through  repair  or  some 
intermittency  condition.  Note  that  zero-valued  elements  will 
also  appear  below  the  diagonal.  For  example,  .32  in  the  above 
example  is  equal  to  zero  since  the  transition  from  State  3  to 
State  2  involves  a  transition  of  Unit  3~"from  a  failed  to  a 
successful  state. 

The  elements  in  the  D  matrix,  D.^j  (i  a?  j),  are  then  solely 
a  function  of  unit  reliabilities.  Let  equal  the  reliability 
of  the  k^h  unit  for  the  mission  length  being  considered,  and 
Dfc  =  1  -  Dfc,  the  k-h  unit  unreliability.  Then,  for  the  above 
example,  we  have 


State 


State  1 

2  3 

4 

5 

6 

7 

8 

n 

± 

1 

0  0 

0 

0 

0 

0 

0 

2 

'»  D-3 

D3  0 

0 

0 

0 

0 

0 

3 

_?2_ 

_°  '  d2 

0 

0 

0 

0 

0 

4 

D  = 

D  2D3 

D-2D3  D2D3 

d2d3 

0 

0 

0 

0 

5 

Ei 

0  0 

0 

Di 

0 

0 

0 

6 

*1*3 

0 

0 

Du.L>3 

0 

0 

7 

DlD2 

0  D  2,  D 2 

0 

D  j.D  2 

0 

D  XD 

2  0 

8 

D1D2S3 

S"iDaD3  D-iD'2-D3  D  iDsDa 

^iD  2  Tb 

DiD  2D3  D 

D-2-D3  D-1-D2D3 

Extension  of  this  model  to  include  in-flight  repair  is 
normally  quite  difficult.  In  addition  to  the  complex  factors 
affecting  maintenance  capability,  the  model  must  consider  when 
a  failure  occurs,  since  restoration  of  a  failed  unit  will  depend 
on  how  much  time  is  available  before  the  unit's  function  is 
required.  This  type  of  consideration  will  normally  involve  a 
continuous-parameter  Markov  chain  (time  is  considered  as  a 
continuous  parameter),  and  renewal-theory  approaches  become 
applicable  JtA 

The  following  are  several  of  the  more  important  equations 
applicable  to  the  in-flight  repair  situations  for  a  two-state 
model: 

Let 

f(t)  =  time-to-f ailure  density  function  of  a  unit 

r(t)  =  repair-time  density  function 

y(t)  =  density  function  for  the  event  "end  of  operation 
of  the  unit" 

z(t)  -  density  function  for  the  event  "end  of  repair  of 
the  unit". 


A  good  introduction  to  renewal  theory  is:  D.  R.  Cox, 
Renewal  Theory,  John  Wiley  and  Sons,  Inc.,  .1962. 

^  Adapted  from:  Statistical  Theory  of  Reliability,  M.  Zelen, 
Editor,  the  University  of "Wisconsin  Press,  1963;  Chapter  1, 
"A  Survey  of  Some  Mathematical  Models  in  the  Theory  of 
Reliability,"  G.  H.  Weiss. 

367 


Then  the  following  renewal  equations  apply,  assuming  operation 
at  time  0: 


y(t) 

z(t) 


=  f(t)  +  fQ  z(x.)f(t-T)dT 

=  ft  y(T)r(t-T)dT. 

■Jo 


(Equation  14) 
(Equation  15) 


The  expected  number  of  failures  during  a  mission  of  T 
hours  is  then 


E/ji(F)  -j£  y(*r)dT,  (Equation  16) 


and,  similarly,  the  expected  number  of  completed  repair 
activities  is 

E^,(R)  ~  Jq  z(t)dT-  (Equation  17) 

We  can  also  find  the  probability  that  the  system  is  in  opera¬ 
tion  at  time  t  from  the  equation 


T'j  (t )  =  D(t)  +J't  z(  T)D(t-T)dT,  (Equation  18) 
where  D(t)  is  the  unit  reliability  function. 

It  is  interesting  to  note  that  as  t-*-  ^  (t)  approaches 

the  availability  formula,  MTBF/(MTBF  +  MDT).  Asymptotic 
results  have  also  been  obtained  for  the  distribution  of  down 
time,  and  exact  results  have  been  obtained  for  the  case  of 
exponential  failure  and  repair  density  functions^/  These 
latter  considerations  are  important  for  the  expected-value 
figure  of  merit  if  the  function  of  a  unit  is  required  con¬ 
tinuously,  but  some  contribution  to  effectiveness  will  be  made 
if  the  unit  operates  only  intermittently. 

The  applicability  of  the  above  equations  will  depend,  of 
course,  on  the  particular  operation  and  background  involved. 

Many  references  are  available  for  quantifying  failure  and  repair 


y  m.  Zelen,  op.  cit. 


368 


density  functions.  Thus,  the  densities  y(t)  and  z(t)  can  be 
obtained,  either  analytically  through  techniques  such  as 
Laplace  transforms,  or  through  numerical  procedures.  There 
still  remains  the  problem  of  integrating  the  unit  parameters 
into  a  system  modelj  for  example,  an  obvious  problem  is  the 
dependence  of  repair  capability  on  the  number  of  failures. 
In-flight  repair  can  only  presume  a  limited  maintenance  cap¬ 
ability,  and  thus  the  repair  function  of  a  unit  will  be 
dependent  on  the  state  of  other  units.  These  problems  will 
require  a  great  deal  of  research  effort. 


7 . 4  Quantification  of  the  Capability 
Vector,  C 

Capability  is  the  least  researched  concept  of  the  major 
factors  affecting  system  effectiveness;  thus  its  quantifica¬ 
tion  is  still  in  the  early  stages  of  development.  A  basic 
approach  for  obtaining  the  capability  vector  is  presented  in 
this  section. 

Capability  is  defined  as  the  probability  of  success¬ 
ful  mission  accomplishment,  given  satisfactory  system  opera¬ 
tion.  This  definition  is  appropriate  if  the  analysis  is  per¬ 
formed  at  the  system  level,  and  it  implies  that  unsatisfactory 
operation  (that  is,  performance  outside  of  design  specifica¬ 
tions)  cannot  lead  to  fulfillment  of  mission  requirements. 

In  the  performance  of  an  effectiveness  analysis  at  system 
sublevels,  however,  the  condition  of  satisfactory  performance 
loses  its  meaning  since  system  performance  is  now  represented 
by  system  states,  which  are  representations  of  particular 
combinations  of  unit  successes  and  failures.  The  translation 
of  the  capability  concept  to  this  level  of  analysis  is 
accomplished  in  a  straightforward  manner  by  the  introduction 
of  system-state  capabilities,  which  represent  the  prob¬ 
ability  of  successful  mission  accomplishment  when  a  particular 
system  state  exists.  These  probabilities  are  the  elements  c^ 
in  the  capability  vector. 

Since  the  overall  mission  requirement  is  usually  a  vector 
of  functional  requirements,  we  shall  first  consider  how  one  may 
synthesize  the  0  elements  from  a  decomposition  of  the  require¬ 
ment  vector. 1/  Assume  that  a  system  is  to  perform  a  mission 
that  requires  accomplishment  of  m  functions,  e.g.,  power  gen¬ 
eration,  communication,  and  navigation.  ,It  is  noted  that  this 


1/  The  rationale  for  such  synthesis  is  presented  in  the 

following  publication;  H.  Leuba,  R.  Boteilho,  Evaluation 
of  System  Design  Adequacy.  ARINC  Research  Publication 
No.  267-07-6-416,  becember  1963. 


decomposition  is  dictated  to  a  large  extent  by  the  system  level 
of  the  analysis.  This  level,  according  to  assumption  (4), 
Section  2,  wiJl  depend  on  the  capability  to  synthesize  the 
system  capability  from  sublevel  analyses. 

Consider  a  functional  capability  matrix  as  shown  below: 


Function 


1  2  ...  j 


1 

2 


c  c 

11  12 

c  c 

21  22 


m 

c 

im 

c 

2  m 


Unit  * 
i- 


'li 


n 


c  c 
n  i  n  2 


c 

nm 


where  c^j  is  the  probability  that  Unit  i  can  perform  the 
function  if  it  is  operating  within  design  specifications.  Note 
that  from  the  rule  given  for  choosing  the  system  level  we  assume 
that  the  Qjj  elements  are  mutually  independent.  In  the  incorpora¬ 
tion  of  the  design-adequacy  concept,  it  is  also  implied  that 
performance  outside  of  design  specifications  cannot  lead  to 
function  accomplishment. 

Two  modes  of  functional  operation  are  now  considered  for 
obtaining  the  elements  in  the  C  vector: 

Committed  Mode  -  Only  one  successful  unit  may  attempt 

to  perform  the  function,  and  that 
unit  is  the  one  which  has  the  maximum 
functional  design  adequacy. 

Uncommitted  Mode  -  All  successful  units  may  attempt 

to  perform  the  function. 

Let  Ajt(j)  represent  the  capability  of  the  system  in 
State  k  for  the  j^h  function;  that  is  Aj^j)  is  the  probability 
that  the  j^h  function  will  be  successfully  performed,  given 
that  the  system  is  in  State  k.  Assume  for  State  k  that  Units 
ij_,  i2»...»iD  are  the  successful  units.  Then: 


370 


(a)  For  a  function  in  the  committed  mode, 

Av(j)  =  max  Ci  ->  a  =  1,  2,  (Equation  19) 

K  i  1aJ 


(b)  For  a  function  in  the  uncommitted  mode, 

P 


Ajj)  =  1  - 


1  -  c 


a=l 


v/  • 


(Equation  20) 


The  capability  element  ck  in  the  vector  C  is  then 


m 


■it  -  TT  \«j)- 

J=1 


(Equation  21) 


The  differentiation  between  committed  modes  and  uncommitted 
modes  is  quite  elementary,  but  it  does  provide  a  basis  for  rtiore 
realistic  considerations.  For  example,  an  operational  sequence 
pertaining  to  a  particular  function  may  involve  a  partially 
committed  mode  in  the  sense  that  a  certain  unit  may  attempt  to 
perform  the  function,  provided  it  is  not  attempting  to  perform 
another  function.  Analytical  expression  of  Ajc(j)  for  such 
sequences  is  cumbersome,  but  computer  procedures  for  quantify¬ 
ing  this  probability  can  be  easily  developed. 


8.  CONCLUSIONS 

The  model  framework  presented  in  this  document  does  not 
represent  any  new  concepts  and,  in  fact,  is  relatively  unsophis¬ 
ticated  because  of  the  restrictive  assumptions.  It  does,  how¬ 
ever,  present  a  point  of  departure  for  effectiveness-model 
building  by  incorporating  in  a  logical  manner,  sub-models 
relating  to  dependability,  availability  and  capability. 

Although  this  framework  can  be  used  to  develop  much  more 
mathematically  complex  models,  there  is  the  danger  that  such 
models  require  data  inputs  that  are  presently  unobtainable  or 
that  working  the  model  is  computationally  unfeasible.  While 
it  is  believed  that  the  specific  models  presented  are  workable 
and,  in  many  cases,  quite  valid,  careful  examination  of  the 
assumptions  is  a  mandatory  requisite  before  application  to  a 
specific  system.  The  effects  of  any  possible  violation  of 
assumptions  must  be  ascertained  so  that  numerical  outputs  may 
be  appropriately  modified. 


371 


Extensions  of  the  models  to  more  complex  cases,  e.g., 
continuous  parameter  Markov  chains,  non-stationary  transition 
mechanisms,  renewal  theory  approaches  for  treating  in-flight 
repair  capabilities,  etc.,  have  been  indicated.  A  great  deal 
of  theoretical  research  and  data  collection  will  be  necessary 
before  such  problems  can  be  treated  practically  and  realistically. 


372 


appstosk  n 


CONCEPTS  AI'ID  MODELS  0? '  SYSTEM  EFFECTIVENESS 
30  JANUARY  196U 


Prepared  for 

Weapon  System  Effectiveness 
Industry  Advisory  Com-ittee 
Task  Group  II 

by 

I.  Bosinoff 


SYLVAKIA  ELECTRONIC  SYSTEMS  -  EAST 
SYLVAIilA  ELECTRONIC  SYSTEMS 
A  Division  of  Sylvania  Electric  Products,  Inc. 
100  First  Avenue,  Waltham  5k,  Massachusetts 


373 


CONCEPTS  AND  MODELS  OF  SYSTEM  EFFECTIVENESS 


As ' electronic  weapon  systems  continue  to  evolve  into  more 
and  more  complex  structures,  the  search  for  efficient  prediction 
and  measurement  techniques  takes  on  added  momentum.  Needed  are 
foolproof  methods  that  are  easy  to  implement  and  that  allow 
management  decisions  to  be  reached  with  minimum 'risk.  Many  of 
the  techniques  proposed  utilize  mathematical  models  to  simulate 
system  performance  thus  allowing  a  quantitative  as  well  as 
qualitative  measurement  and  prediction  to  be  made.  Most  of 
these  mathematical  models  suffer  in  that  they  can  only  approxi¬ 
mate  the  system  in  the  real  world)  however,  if  these  models  have 
sufficient  detail,  a  one  to  one  correspondence  can  be  approached. 
Specific  models  that  have  recently  received  attention  are  those 
characterized  by  Markov  processes.  These  models  address  them¬ 
selves  to  the  following  fundamental  questions. 

(1)  Is  the  system  working? 

(2)  If  *lt  Is  working,  what  is  the  probability  that  it 
will  continue  working  throughout  its  mission? 

(3)  Given  that  the  system  worked  throughout  its  mission, 
what  is  the  probability  of  the  mission  achieving 
success? 

For  systems  where  the  above  questions  are  appropriate,  it 
is  possible  to  define  each  question  as  a  probability,  and  the 


374 


product  of  all  three  defines  a  measure  of  system  effectiveness. 
Formal  definitions  of  the  above  probabilities  are  the  following: 

(1)  "Availability,"  or  "poiritwise  availability,"  or 
"operational  readiness"  is  the  probability  of  the 
system  being  operational  at  any  time  (t). 

(2)  "Reliability,"  or  "mission  reliability"  is  the 
probability  of  the  system  surviving  an  increment 
of  time. 

(3)  "Design  capability,"  or  "design  adequacy"  is  the 
probability  of  accomplishing  the  mission  objective 
given  that  the  system  works  throughout  its  mission. 


These  measures  may  be  determined  either  analytically  (state 
space  analysis)  or  synthetically  (Monte  Carlo)  or  by  a  combina¬ 
tion  of  both. 


The  first  technique  (state  space  or  phase  space)  will  be 
described  by  presenting  a  case  history,  then  developing  a  general 
model,  followed  by  additional  case  histories. 


This  particular  approach  depends  on  developing  a  framework 
of  reference  "state  space"  which  characterizes  the  system  as  a 
function  of  the  condition  of  its  component  subsystems. 

By  classifying  the  system  into  a  number  of  "states"  re¬ 
flecting  its  operating  condition,  a  "state  space"  is  defined 
and  the  state  of  a  system  can  be  used  to  determine  the  status  of 
the  system  at  any  given  time.  This,  classification  may  or  may  not 
describe  all  of  subsystem  states  individually  as  "working"  or 
"not  working."  In  general,  if  a  complete  classification  were 


375 


followed,  a  system  having  n  units,  each  of  which  can  be  in  only 
one  of  two  possible  states,  the  total  number  of  possible  states 
is  2n.  However,  some  of  these  states  may  be  similar  and  there¬ 
fore  not  distinguishable.  In  these  cases  the  analysis  is  simpli¬ 
fied  by  restricting  the  number  of  "states"  describing  the  system. 
Additional  states  may  be  added  if  the  number  of  repair  crews  are 
limited.  The  systems'  analyst  must  trade  off  the  requirement 
for  increased  system  knowledge  resulting  from  a  comprehensive 
listing  of  system  states  vs.  a  more  limited  classification  (few 
states)  which  results  in  a  mathematically  tractable  set  of  equa¬ 
tions.  These  points  are  illustrated  by  the  following  case 
histories. 

Case  I 

This  is  a  system  composed  of  three  subsystems.  Unit  A,  B, 
and  C.  The  configuration  of  these  units  whether  they  are  in 
series,  parallel,  or  in  combination  of  both  affects  the  system 
classification.  The  acceptable  states  depend  on  system  configura¬ 
tion  and  function.  A  number  of  system  configurations  are  shown 
in  Figure  1. 

Each  unit  is  defined  to  have  only  two  states,  working  or 
non -working.  The  working  state  i3  designated  by  the  letter 
name  of  the  unit;  the  non-working  state  is  designated  by  the 
letter  with  a  bar  above.  Defining  system  states  this  way,  there 
are  2n  combinations  as  shown  in  Figure' 2,  and  Table  - . 


376 


FIGURE  2 

STATE  SPACE  OF  THREE  UNIT  SYSTEM 


378 


Table  I 

Tabulation  of  System  States 

State 

Status 

1 

ABC 

2 

ABC 

3 

ABC 

4 

ABC 

5 

ABC 

6 

ABC 

7 

ABC  j 

8 

ABC 

Such  an  ordered  set  or  array  of  states  of  a  system  consti¬ 
tutes  the  "state  space"  of  the  system.  Note  in  some  systems, 
e.g.  Figure  la,  any  one  unit  down  or  any  two  units  down  may  not 
be  distinguished.  Therefore,  states  2,  3,  and  4  as  well  as  5, 

6,  and  7,  listed  in  Table  1,  may  be  considered  if  fine  detail 
is  required  by  the  analysis.  In  fact,  a  state  must  be  added  if 
there  are  a  limited  number  of  repair  crews,  e.g.,  see  Figure  3. 

A  probability  is  assigned  to  each  state  1  (i  =  1,  2,  ...,8); 

namely,  the  probability  that  the  system  will  be  in  that  state  for 

a  time  duration  At  sometimes  shortened  to  A.  The  system  is 

defined  to  start  operation  at  time  t-  =  0,  t  is  a  later  Instant 

0  m 

of  time  as  is  t  +  At.  The  expression  t  <  t  S  t  +  At  thus 
m  mm 


379 


I 


FIGURE  3 

TWO  UNIT  SYSTEM  HAVING  5  STATES 


380 


1 


V  V 


f 


represents  an  interval  of  time,  A  t  in  length,  and  occurring 
from  t  to  t  +  Zit.  The  expression  P(i,  t:  tm  <  t  4  t  +  ,/\t) 
represents  the  probability  that  the  system  is  in  state  i  at  any 
instant  t  between  t  and  t  +  At.  For  the  sake  of  convenience, 
this  expression  will  be  shortened  to: 

Pi(t  +  At) 

where  t  is  an  arbitrary  but  fixed  instant  in  time  like  t  . 

m 

Since  there  are  a  number  of  ways  to  enter  this  state 
Pi(t  +  At)  (see  Figure  3)>  the  sum  of  these  probabilities  will 
give  the  probability  of  being  in  state  i;  that  is. 


where 


pi(t  +  At)  -  £  phi  (t) 

h=l 


Phi  is  the  probability  of  going  from  state  h  to  i 
n  =  8  for  the  three  unit  system 

and  double  transitions  are  excluded. 


For  this  three  unit  system  which  admits  repair,  these 
individual  single  transition  probabilities  are  calculated  as 
follows.  A  probability  for  any  single  transition  is  the  product 
Of  three  other  probabilities:  the  probability  that  one  of  the 
units  remains  in  the  same  state;  the  probability  that  a  2nd 
unit  remains  in  the  same  state;  and  the  probability  of  a  3rd 


1 


I 


381 


unit  changes  its  state.  There  are  only  two  possible  ways  to 
change  state:  from  working  to  non-working  (a  failure)  and  from 
non-working  to  working  (a  repair).  There  are  only  two  possible 
ways  to  remain  in  the  same  state:  from  working  to  working,  and 
from  non -working  to  non -working. 

To  determine  these  probabilities,  the  failure  time  and 
repair  time  distributions  must  be  known.  For  the  case  being 
considered,  they  are  exponential  and  have  the  following  constant 
repair  and  failure  rates. 


Table  II 


Units 

Failure  Rate 

Repair  Rate 

A 

^Aij 

^Aij 

B 

Abij 

^Bij 

C 

^C'ij 

The  subscripts  allow  different  rates  to  be  assigned  to  each 
unit  as  a  function  of  the  state  of  the  system  and  the  number  of 
repair  crews  available.  In  the  case  being  studied,  the  number 
of  repair  crews  is  unlimited;  i.e.,  a  repair  is  initiated 
immediately  upon  failure,  and  the  failure  rate  is  independent 
of  the  system  state. 


382 


V  -v 


The  transition  probabilities  are  generated  as  follows: 


(l)  The  probability  that  the  system  will  go  from  state  1 
to  state  1  between,  t  and  t  +  \t  is  the  product  of 
the  following^ four  probabilities. 

(a)  The  probability  that  the  system  is  in  state  1 
at  t  - 

P±(t)  i  =  1 

(b)  The  probability  that  A  does  not  fail  during  the 

interval  t  -  ^ 

RA(At)  =  e  -AAnAt  i  /N'A11  At 

(c)  The  probability  that  B  does  not  fail  during  the 
interval  A  t  - 

rb(A  t)  i  -  A  Bn  At 

(d)  The  probability  that  C  does  not  fail  during  the 
interval  /\  t  - 

rc(A  t)  ^  i  -  ^cuAt 


Thus  the  probability  of  the  system  remaining  in  state  1  is 

R]_(t) (i  -  AAAt)(i  -  ABAt)(i  -  AcAt) 

(2)  The  probability  that  the  system  will  go  from  state  2 
to  state  1  between  t  and  t  +  At  is  the  product  of 
the  following  four  probabilities. 

(a)  The  probability  that  the  system  is  in  state  2 
at  t  - 

P2(t) 

(b)  The  probability  that  A  does  not  fail  during  the 
interval  i\t  - 

( 1  -  A  ^2]_  At) 


383 


(c) 

(d) 


The  probability  that  B  does  not  fail  during  At  - 

(!  ~  A B12  ) 

The  probability  that  C  is 'repaired  during  the 
interval  A^  “  a 

a  -/I  At  \ 

1  -  Mc(At)  -  1  -  e  C12  «  l-(l-Mcl2At) 


This  procedure  is  the  same  for  all  other  transition  proba¬ 
bilities  which  when  calculated  result  in  the  following  eight 
equations . 

p_L(t  +  At)  =  p1(t)(i- AAAt)(i-ABAt)(i-AcAt) 

+  p2(t)(i-  Aa;  ,t)(i-ABAt)(jUcAt) 

+  p3(t)(i-AAAt)(i-AcAt)(MB.\t) 

+  p4(t)(i-ABAt)(i-AcAt)(jUAAt)  (i) 

p2(t  +  At)  =  p1(t)(i-;  A  At)(i- ABAt)(A  cAt) 

+  p2(t)(i-  Aa  At)(i- ABAt)(i-McAt) 

+  p6(t)(i-  AAAt)(/xBAt)d-McAt) 

+  P7(t)(/xAAt)(i-ABAt)(i-McAt)  (2) 

p3(t  +  At)  =  p1(t)(i- Aa  At)(A  B/..t)  (i- Ac/.t) 

+  p3(t)(i- AAAt)d-Ac/.t)(i-/xBAt) 

+  P5(t)(MAAt)(i-//B/At)(i-AcAt) 

+  p6(t)(i-  AAAt)(i-jUBAt)(/icAt)  (3) 


384 


p^(t  +  At)  =  P1(t)  ( A.  A  _t)  (i- ABi-t)  (i- Ac  ^.t) 

+  p^(t)  (i-  Aa  — t)  (i- AbZ-a)  (i- Ac  *at) 

+  p5(t)(i-MAZ-t)(MBAt)(i- AcZ.t) 

+  p7(t)(i-MAZ.t)(i-MB.At)(^c;,t) 

p  (t  +  At)  =  P3 ( t ) ( A A / .t) (i-Mb.  t) ( p- Ac ._.t) 

+  P4(t)(i-MAAt)(ABAt)(i-^c  At) 

+  p5(t)(i-MAAt)(i-MBAt)ii-Ac  At) 

+  P8(t)d-AAAt)(i-MBAt)(McAt) 

p6(t  +  At)  =  p2(t)(i- AAAt)(ABi  t)d-McAt) 

+  p3(t)(i-AAAt)(i-AB-'  t)(Ac;  t) 

P6(t)(i-AA;.t)(i-MBAt)(i-AcAt) 

+  p8(t)(/iAAt)(i-MB/-t)(i-Ac  At) 
p?(t  +  At)  =  p2(t)( AA/.t)(i- AB/ t)(i-Ac-t) 

+  P4(t)(i-MAAt)(i-ABAt)(AcAt) 
P7(t)(i-MAAt)(i-ABAt)(i-AcAt) 

+  P8(t)(i-AAAt)(ABAt)(i-Ac_t) 

pq  ( t  +  At)  -  P5(t)  (i-Ma  At)  (i-Ab  — t)  ( A  c  — t) 

+  p6(t)(A  A:.t)d-ABi-t)(i-Ac--t) 
P7(t)(l- AA/.t)(A  B.  .A)(1-Ac~t) 

+  P8(t)(i-AA/-t)(i-AB.  t )  ( 1  -  A  c  —  t )  • 

The  transitional  probabilities  along  the  diagonal  are  all 

P.(t)(l  -  a) ( 1  -  b) ( 1  -  c) 


form 


These  can  be  expanded  to  separate  out  the  P  (t)  which  can  be 
brought  over  to  the  left  side  so  that  the  general  result  is 

P  (t+At)  -  Pi(t)  =  ?1(t)  j -(a+b+c)  +  ab  +  cb  +  ac  -  abc! 

and  if  one  neglects  the  higher  order  terms  and  divides  both 
sides  by  At,  the  result  is  a  series  of  equations  where  the  left 
side  is  of  the  general  form: 

p.(t  +  At)  -  p.(t) 

A  t 

which  is  defined  as  the  derivative  of  P^(t)  in  the  li'mj  t  as 

t— 3*0 

p  [(.)  .  lim  Pj(t  +  At)  -  Pi(t) 

1  '  fc-*°  Afc 

The  limit  taken  on  both  sides  results  in  the  following  equations 


Px(t) 

-  -<  VAB+Ac’  pi(t)  +  V2(t) 

+  gBP3(t)  +  UAP4(t) 

(9). 

P2(t) 

■  Vl(t)  -  (AA+V^C)r2(t) 

+  •-BP6(t)  +  ^AP7(t) 

(10) 

P3(t) 

-  Vi(t)  -  (VVVp3(t) 

+  kAP  (t)  +  A'0P6(t) 

(11) 

386 


yt)  -  AAp1(ti  -  (Ma+ab+ac)  p4(t> 

+  MBP5(t)  +  /UcP7(t)  (12) 

p  (t)  =  Aap3(o  +  ABP4(t)  -  (^A+WB+Ac)p5(t) 

+  M0P8(t).  (13) 

p6(t) -  ABp2(t)  +  AcP3(t)  -  (AA+y+y,)p6(t) 

+  MAPg(t)  (l1*) 

yo  -  AAP2(t)  +  AcP4(t)  -  (ma+Ab+m0)p7(c) 

+  MBP8(t)  (15) 

-  AcP5(t)  +  AAP6(t)  +  ABP7(t) 

-  (MA+MB+y)P8(t)  (is) 

As  linear  equations  they  can  be  written  in  matrix  form: 


387 


or  more  generally  as: 


r 


T 


;  A,/i  ; 


J 


P1(t)  P2(t)  ...  Pn(t) 


-P1(t) 

Px(t) 

P2(t) 

• 

P2(t) 

• 

p  (t) 
n  ' 

p  (t) 

n v  ' 

A  ,11 

Px(t)  P 

(18) 


n' 


(19) 


Where 


A 


Is  defined  as  a  Q  matrix  and 


.is  its 


transpose . 


The  necessary  constraints  or  boundary  conditions  required 
to  solve  these  equations  are : 


n 


X  rqt)  =■  i 

i=l 


(20) 


which  says  that  the  system  must  be  in  at  least  one  of  the  eight 
possible  system  states  (this  holds  for  all  t) 


389 


(21) 


Px(0)  =  1 

Pi(0)  =0  (i  =  2,3,  • . .n) 

This  gives  the  initial  conditions  (t=0)  of  the  system. 

If  only  a  steady  state  solution  is  desired,  then  one  can 
immediately  set  the  derivatives  P^(t)  =  0,  thus  leaving  a  system 
of  algebraic  equations  which  can  be  solved. 

To  accomplish  this,  we  omit  any  one  of  homogeneous  equa¬ 
tions  and  substitute  the  above  constraint  for  that  equation  and 
then  solve  this  system  of  equations  for  the  P^(t). 

The  solution  for  cases  of  lower  order  systems  are  classical 
and  are  given  in  the  literature.  A  larger  system  of  differential 
equations  can  be  solved  by  the  Runge-Kutta  method  on  a  computer, 
although  the  computer  memory  will  place  a  limit  on  the  number  of 
units  an  analyzable  system  may  have. 

The  preceding  set  of  equations  provides  the  necessary 
structure  for  defining  availability  in  a  formal  manner.  Avail¬ 
ability  is  defined  as  the  column  vector  (equation  18)  or  the  row 
vector  (equation  19)-  This  vector  contains  all  of  the  system 
component  availabilities  and  by  summing  the  acceptable  (favor¬ 
able)  availabilities  one  obtains  a  measure  of  system  performance. 


390 


It  should  he  noted  that  in  computing  the  availability  of 
the  system  no  consideration  was  given  beforehand  to  the  system 
configuration.  Only  upon  describing  all  possible  states  of 
the  system  via  difference  equations  and  subsequently  obtaining 
the  differential  equations,  was  consideration  given-  to  system 
configuration.  Then  computation  of  system  availability  is 
found  by  summing  up  the  probabilities  of  acceptable  system 
states. 

To  compute  reliability,  R(T),  one  proceeds  in  a  similar 
manner  as  in  the  availability  analysis.  However,  the  system 
conf iguration  must  be  established  beforehand  since  the  absorbing 
states  (those  causing  system -fa Hare}- must -be  defined.  As  pre¬ 
viously  mentioned,  once  an  absorbing  state  is  reached,  one 
cannot  make  a  repair  and  come  out  of  that  state;  i.e.,  one 
remains  in  that  state  with  probability  1. 

The  following  table  lists  the  failed  absorbing  states 
corresponding  to  the  configurations  (a)  -  (d)  in  Figure  1. 


391 


Table  HI 

Absorbing  States  of  Systems 

Configuration 

Absorbing  State 

(a) 

8  ' 

(b) 

2,3, 4,5, 6, 7,8 

(c) 

4, 5, 6, 7, 8 

(d) 

5,7,8 

To  illustrate  this  concept,  we  select  the  configuration 
(a)  from  Figure  1.  As  can  be  seen  from  this  configuration, 
the  absorbing  state  occurs  only  when  units  A,  B  and  C  are 
failed  simultaneously,  which  in  this  case  would  be  state  8. 
Only  the  final  matrix  notation  is  given  for  this  analysis  and 
is  given  in  equation  (22).- 


392 


, _ s 

, _ „ 

, _ „ 

V- 

V- 

v- 

V- 

_ _ 

_ _ 

> _ - 

_ _ 

-  - 

_ _ . 

cvj 

m 

in 

VO 

CO  . 

1  .0, 

.Ah 

•  A. 

.A* 

.fL, 

•Ah 

.B, 

As  can  be  seen  in  the  above  transition  matrix,  the  column 
representing  the  absorbing  state  contains  all  zeros.  This  will 
be  true  for  all  those  states  that  are  absorbing.  The  above 
equations  can  be  solved  by  the  method  of  Laplace  transforms,  or 
on  a  computer  knowing  the  initial  condition  of  the  system.  We 
also  know  that 

8 

^  pyt)  =  i 


This  example  has  illustrated  the  technique  of  obtaining 
a  system  of  differential  equations,  both  for  the  availability 
and  reliability  models. 

Since  this  analysis  has  been  performed  under  the  assumption 
that  the  units  have  only  two  possible  states,  working  and  non¬ 
working,  it  may  be  objected  that  this  assumption  places  a  great 
restriction  on  the  method,  since  most  units  used  in  practice 
have  continuous  performance  parameters,  as  opposed  to  the 
simple  on-off  type.  But  this  objection  does  not  hold  because 
such  continuous  parameters  can  be  quantized;  i.e.,  their  ranges 
can  be  precisely  divided  and  limited,  so  that  a  strict  division 
between  working  and  non-working  states  is  obtained. 

Although  an  underlying  exponential  distribution  for  the 
failures  and  repairs  have  been  assumed  for  the  units  in  the 
system  analyzed,  so  that  X  and  fJL  are  constants,  the  analysis 


394 


can  be  performed  as  noted  using  other  distributions  and  using 
other  weaker  assumptions  to  give  more  general  cases.  (See 
J.  Kielson  and  A.  Kooharian  "On  Time  Dependent  Queuing  Processes, 
Annals  of  Math.  Stat.,  March  i960.) 

At  this  point  a  brief  explanation  is  presented  on  the 
effect  of  having  a  different  number  of  repair  crews.  In  normal 
practice,  an  individual  repair  crew  for  each  unit  of  the  system 
is  rarely  the  case.  Usually  one  is  limited  to  one  or  two  repair 
crews  and  accordingly  the  transition  probabilities  associated 
with  a  repair  must  be  modified.  To  illustrate  this  we  again 
consider  a  three  unit  system  made  up  of  identical  units  (each 
with  failure  rate  operating  in  active  redundancy  as  shown 

in  Figure  1  configuration  (a).  We  first  consider  the  case  of 
only  one  repair  crew  (with  repair  rate  JJ_).  In  this  case  the 
system  has  only  four  states  if  we  assume  that  units  are 
indistinguishable.  These  are: 

State  1  -  all  units  working 
State  2  -  one  unit  not  working 
State  3  -  two  units  not  working 
State  4  -  all  units  not  working. 

The  difference  equations  for  the  availability  model  in 
this  case  are: 


395 


I 


Px(t  +  A)  =  Px(t)  (1  -  3  A  _. )  +  P2(t)^A  (23) 

p2(t  +  a)  =  p ]_ ( t )  3  A  A  +  P2(t)  ii  -  (2/,  +/<  )_] 

+  P3(t)MA  (24) 

P3(t  +  A)  =  P2(t)  2  A  A  +  p3(t)  [ i  -  (  A  +  A  )A] 

+  P4(t)uA  (25) 

p4(t  +  A)  =  P3(t)AA  +  P4(t)  (i  -  a  A )  (26) 


If  two  repair  crews  were  available  (each  having  repair 
rate  pi),  the  difference  equations  would  become: 


v* 

+ 

A) 

-p 

i — i 

Ph 

II 

(1  -  3  AA)  +  : 

p2(t)  aA 

(27) 

-p 

OJ 

(u 

+ 

A) 

=  Px(t) 

3  AA  +  p2(t) 

!i  -  (2 A 

+  U  )_\] 

+  P3(t) 

2AA 

(28) 

p3(t 

+ 

A) 

-  P2(t) 

2AA  +  F  (t) 

[l-(A 

+  2  AO  A’ 

+  P4(t) 

2  A  A 

(29) 

V1 

+ 

A) 

=  p  (t)AA  +  p  (t)  (i 

<3 

OJ 

1 

'  (30) 

As  can  be  seen,  the  advantage  between  one  repair  crew  or 
two  repair  crews  is  when  the  system  is  in  states  3  or  4.  When 
two  repair  crevis  are  available  and  two  or  three  units  are  in¬ 
operative,  the  probability  of  completing  a  repair  in  A  is 


396 

I 


I 


f 


2 /I  A  where  with  one  repair  crew  this  probability  is  j~i  A  .  This 
is  intuitively  clear  since  if  two  or  three  units  have  failed 
and  two  repair  crews  are  working,  the  probability  of  completing 
a  repair  is  twice  as  great  as  the  probability  when  only  one 
repair  crew  is  available.  However,  the  more  repair  crews  one 
has  on  hand  for  repair  capability,  the  greater  the  idle  time  of 
each.  Therefore,  there  is  a  certain  trade-off  which  must  be 
made  both  from  the  standpoint  of  maximizing  uptime  and  minimizing 
the  idle  time  of  repair  crews. 

Design  capability  is  defined  as  the  probability  that  a  system  will 
successfully  accomplish  its  mission  given  the  system  states;  tailing  the 
mission.  The  capability  of  the  system  can  be  directly  relate.;  to  the  sys¬ 
tem  state.  For  example,  consider  a  three -unit  system  ( 1  .e . ,  three  .vao.ars  ) 
Figure  4  -  where  the  probability  of  detecting  a  target  is  .9  if  all  three 
radars  are  working,  .6  if  two  axe  working,  .5  if  one  is  working  then  the 
system  states  can  be  weighted  as  follows:  - 


397 


>--en  the  average  capability  per  mission  would  provide  a 


system  measure. 

In  some  systems  such  an  average  measure  may  not  be  use- 
,  a  missile  where  a  specific  lower  bound  on  perfor- 
mn  e  is  essential  to  success. 

previous  analysis  has  been  made  on  a  three -unit  system. 
In  theory  the  same  mathematical  analysis  could  be  made  on  a 
system  with  n  units,  although  if  n  is  too  large  the  method 
becomes  computationally  unwieldy.  The  following  analysis  is 
the  application  of  essentially  the  previous  approach  to 
a  system  composed  of  any  n  sub-units,  so  that  the  preceding 
analysis  of  the  three  unit  system  may  be  regarded  as  an  illustra¬ 
tive  example  of  this  more  generalized  approach. 

General  Analysis  on  n-Unlt  System 

The  following  discussion  will  formalize  the  procedures 
discussed  above.  A  mathematical  model  of  system  availability 
is  developed. 

We  define 

P(t)  =  A(t)  =  A(t+At)  -  A(t)  (3!) 

t-*0  A  t 

j 


399 


We  further  define  P(  At),  a  matrix,  as  the  transition 
probability;  i.e.,  the  probability  of  going  from  A(t)  to 
Aft  At)  in  time  At.  Therefore:' 

A(t  +  A  t)  =  P(At)  Aft)  (32) 

Substituting  equation  (32)  into  (31)  results  in 


lim  P(At)  Aft)  -  Aft) 
At— >°  /\t 


and 

s  ^ 

A(t)  -  ,U”  liAll  -  I  A(t)  (34) 

\  At  J 

where  I  is  the  identity  (unit)  matrix. 

The  matrix  I  is  required  because  it  enables  A(t)  to  be 
factored  out  of  the  expression. 

Define  the  matrix  Q  by 

Q  -  .  lim  P(At)  -  I  (35) 

_ _ At— >0  ^  t 


then 


Aft)  =  QA( t )  (36) 


400 


In  a  stationary  system  the  rate  of  change  of  availability, 
defined  by  A(t),  will  approach  zero  as  time  increases.  Specifi¬ 
cally  at  t  =oo,  A ( t )  =  0  and  therefore  from  equation  (36)  we 
have 

0  =  A ( 00 )Q  (39) 

Thus,  this  steady  state  solution  can  be  satisfied  only  if 
the  matrix  Q  is  singular;  i.e..  Its  determinant  is  zero. 

Additional  examples  of  one  and  two  unit  systems  further 
illustrate  the  above  techniques. 


may  be  useful  for  computer  programs  If 
t  is  large. 


401 


Case  II:  Sample  Analysis  of  One -Unit  System 


Figure  5  is  a  one  unit  system. 


Unit  1 

R  =  probability  of 
unit  working 

M  =  probability  of 
repairing  unit 
if  not  working 

One  Unit  System 
Figure  5 

This  system  has  2n  possible  states  where  n  is  the  number 
of  units  in  the  system  tabulated  in  Table  IV. 


Table  IV 

Tabulation  of 
oi  Gifc  tin 

System  States 
it  System 

State 

Unit 

1 

working 

2 

failed 

The  transition  probabilities,  P1j(.'\t)J  are  the  proba¬ 
bilities  of  being  in  a  specific  state  and  either  remaining  in 
that  state  or  going  to  another.  These  are  given  in  Table  5. 


402 


where 

p  =  the  probability  of  being  in  state  one  and  remaining 
11  there. 

p  =  the  probability  of  being  in  state  one  and  going  to 
^  state  two,  etc. 


Substituting  the  probabilities  shown  in  Figure  5  into 
Table  V  results  in  Table  VI. 


Table  VI 

j  Transition  Probabilities 

^^■^To 

From^^^ 

WM 

2 

1 

R" 

(l-R) 

2 

M 

(l-M) 

where 

(l-R)  =  probability  of  unit  failing 

(l-M)  =  probability  of  unit  not  being  repaired. 


403 


If  the  units  are  independent  and  the  chance  of  failure  or 
repair  does  not  depend  on  past  history,  the  exponential  functions 
can  be  used  to  describe  the  probabilities  of  Table "67 


R(  At) 


i  -  A  A  t 


(40) 


m(  At)  -  i  -  S 


-Mt 


MAt 


(41) 


where 


A  =  failure  rate 
jj [  =  repair  rate 


ft 

1  -ft 


-  A  At 
-ftAt 


probability  of  zero  failures  in  ,\t 
probability  of  at  least  one  repair  in  At. 


We  now  solve  for  the  terms  of  the  Q  matrix  from  the  following 
relationships : 


Q  = 


a  llm  l-P(At)  -  I. 
At->0  . 


(42) 


therefore 


<*11  = 


.  lim  P11  '  1 

At  ->  °  At 


.lim  l-AAt-l__A 

At-^o  jt 


=  lim  P21  _ 
2i  At-- >0  a^ 


lim  MAt  =  // 

t' — ^  o  Afc 


(43) 

(44) 


404 


q12 

q22 


lim 

At 


512  _  lim  A  At  _  \ 

a  A  *-  /\  k  A 


■>o  At  At— >0 


,  lim 

At — *>0 


P22  ~  1 

At 


lim  1  -  U  A  t 
At— >°  At 


-  1 


(^5) 

-  U  (46) 


The  Q  matrix  is  therefore 


Q  - 


(47) 


ancUf since  A  (t)  =  A(t)Q  it  is  possible  to  write  the  2n  linear 
differential  equations  with  constant  coefficients.  These  are 


a1(t)  -  -  Aa1(t)  +  fi ag(t) 

(48) 

a0(t)  -  Aa1(t)  -  fi  a2(t) 

(49) 

To  solve  this  system  of  first  order  linear  differential  equations, 

2/ 

we  can  make  use  of  the  Laplace  transform-^  and  the  relationship 
that  a-j_(0)  =»  1,  a2(0)  =  0.  Taking  Laplace  transforms  of  equations 
(48)  and  (49)  and  denoting  the  Laplace  transform  variable  by  s  results  in 


sL.(a1)  -  a1(0)  +  AL(ax)  -  LL  L(a2)  =  0  (50) 

sAa2)  -  a2(0)  -  /i L ( a t  )  +  j^i  L(a2 )  =  0  (51) 


C.  R.  Wiley,  Advanced  Engineering  Mathematics,  McGraw-Hill; 
P.  LeCorbeiller,  Matrix  Analysis  of  Electronic  Network, 
Harvard  University  Press. 


40  5 


Substituting  the  values  of  a^O)  and  a2(0)  gives 

_  ..  ah  ( a  -jj  -  _i  aL( 

a^ )  -  /.i.L(a2)  =0 

( 52 ) 

■?  E  ( a  2 )  -  / L  ( a  -^ ) 

J~  )/..h L(aP)  —  0 

(53) 

or 

(s  +  A  )L(a1) 

(54) 

-AL(a1)  +  (s 

+  )L(a2 )  =  0 

(55) 

Making  use  of  determinants  we  now  solve  for  L(a^),  and 
from  the  relationship  a]_(t)  +  a2(t)  =  1  it  is  possible  to  obtain 
a2(t)  once  a1(t)  has  been  determined. 


Expanding  (57)  in  partial  fractions  results  in 


lt-j  ( s  +  /n  +  [X )  f  k2&  —  s  +  /X  (59* 

k j s  +  (  A.  +  /X  )  k  ^  +  k2s  =  s  +  fX  ( 6 0 ) 


406 


kx  +  k2 


1 


(6l) 


or 


therefore 


and 


(  A  +  M  ~  M 


ir  =  M  and  kp  -  — .  ^—rr 

^  A+M  a+  M 


r  /  a  )  =  _ _  +  - — — * V - — 

1  (  a  +  /J. ) s  (A  +  M )  ( s  +  A  +  /- ) 


therefore 


a-i  (t) 


it  .  ie 


-(A  +M)t 


M-  +  /.t— - 

IT7T  A  +  M 


Since 


( t )  +  a  ( t )  -  1 


,( t)  =  1  -  a^t)  = 


a2^  =  -  -  “1'-'  II 


A  _  A£ 


-(a  + 


A  +  M 


The  steady  state  availabilities  are  easily  obtained 
equations  (65)  and  (66)  by  letting  t  — >  *° 


t 


(62) 


(63) 


(64) 


(65) 


(66) 

from 


407 


It 


al(<-')  -•  -- ^ — 

(67) 

A  tp- 

a2  (  '”  )  =  . 

(68) 

Case  III:  Sample  tnalysis  of  Two -Unit  System 

In  this  section  the  transition  matrix  Q  will  be  determined 
and  the  system  of  linear  differential  equations  set  up.  Figure  6 
is  the  two  unit  sysuem  to  be  considered. 


Unit  No.  1 

Unit  Mo.  2 

R-,  =  probability  of  unit 
No.  1  working 

Rg  =  probability  of  unit 
No.  2  working 

M-j-  =  probability  of  re¬ 
pairing  unit  No.  1 
if  not  workj  ig 

Mg  =  probability  of  re¬ 
pairing  unit  Mo.  2 
if  not  working 

Two  Unit  System 
Figure  6 

The  system  has  C1'1  possible  states  and  are  tabulated  in 
Table  ?  below. 


t 


408 


Tabulation 

Table  VII  | 

of  States  of  Two  Unit  System  j 

State  ' 

Unit  No.  1 

Unit  No.  2 

1 

Working  (0) 

Working  (0) 

2 

Working  (0) 

Failed  (l) 

3 

Failed  (l) 

Working  (0) 

4 

Failed  (1) 

Failed  (l) 

We  now  list  the  transition  probabilities  in  Table  8  below. 


Table  VIII 

Transition  Probabilities 

_ - _ 

^\To 

PromV 

1 

2 

3 

4 

]_ 

T» 

"'ll 

p 

p12 

?13 

P14 

p 

P2l 

P22 

p23 

p24 

3 

P31 

p32 

P33 

P34 

4 

p4l 

p42 

p43 

p44 

where 


p,,  =  probability  of  being  in  state  one  and  remaining 
in  state  one 

Po2  =  probability  of  being  in  state  three  and  going  to 
state  two,  etc. 

NOTE:  It  will  be  shown  that  a  double  transition;  i.e.,  the 

probability  of  going  from  state  four  to  state  one  in  a 
small  increment  of  time  (At)  is.  impossible  and  there¬ 
fore  zero. 


409 


t 


Substituting  the  probabilities  given  in.. : ' '  c-  ■'  ^ntc  TVo  i r 
results  in  Table  IX 


Table  IX- 

.....  ..j 

^\To 

Froin'v. 

1 

2 

3 

4 

1 

R1R2 

R  (1-RV.) 

( 1  r  )  R2 

(1-R1)(1-R2) 

2 

R1M2 

R,  (  1  -IC.  : 

1 v  2 ' 

(1-T 

1  '  2 

(!-r1)(i-m2) 

3 

M1R£ 

M1(l-K?! 

(I"-  ‘V, 

(1-M-,  )(1-Rr  ) 

4 

M  M 

1  2 

M  (1-fcJ 

......  ...  ^ 

.  )K 

■'  1  ‘ 

(  „r/r  i  1  .]V;  } 

. . \ 

We  now  determi^-i-Q  from  the  relationship 


lim  lp(At)  -  I)j 
At— >0  Afc 


q 


11 


lim  (1- A1.'\t)(l-A2At)-l 

At  — >  o  Afc 


lim 


(1- 


,t  )  /  .  O  >t 


12 


l4l 


\t 


At  ->o 

lim  (/.  1.\t)(/l2_t) 

t-->0  t 


=  0  etc. 


The  complete  Q  matrix  for  this  two  unit  system  is  given  in 
equation  (72). 


»  i-x  < 


(69) 

(70) 

(71) 


410 


The  syautiu  of  linear  differential  equations  is  as 
follows : 


ix( t)  -  -(A1+Ag)ai(t) 

+V2(t> 

+P-1  a3(t) 

0 

a2(t)  -  A2a1(t) 

-(A  j+/^2)a2( 

0 

a3(t)  -  ^a^t) 

0 

-(/i1+ A2)a3(t) 

+U2  au(t) 

a4(t)  =  0 

^•1a2(t) 

+  A2a3(t) 

-(M1+M2)a4ft) 

411 


This  system  of  equations  can  be  solved  in  a  manner  similar 
to  that  of  the  one  unit  system. 

It  is  also  possible  to  solve  equation  (73)  by  considering 
the  elements  of  the  availability  vector  to  be  functions  of  the 
single  unit  availability.  For  example,  in  a  two  unit  system, 
as  shown  below 


A 

Unit  1 


B 

Unit  2 


FIGURE  7 


Has  four  states  as  follows: 


Table  X 

Tabulation  of  System  States 
Two  Unit  System 


Status 

State 

AB 

1 

AB 

2 

AB 

3 

AB 

4 

412 


/ 


/ 


£11 

-  unit 

A 

a  vallate  :.ity 

all 

=  unil 

X  L 

un availability 

aia 

-  unit 

B 

t 

a.! rai  Lability 

al2 

=  unit 

B 

v  naval lability 

Then  for  the  two  unit  case  the  probability  of  being  in  any 
one  of  the  four  states  is: 


al  “ll  “l2 


a2  =  all  a12 


a3  =  all  al2 


aii  ^all  a12 


(74) 


(75) 


< 76 ) 


(77) 


This  then  is  the  solution  for  equation  (73). 

T 

T 

This  procedure  can  be  extended  to  encompass  more  than 
two  units. 

Conclusion  and  Summary 

System  nerformance  measures  availability,  reliability,  and 
design  capability  have  been  described.  The  product  of  these 
three  parameters  is  a  measure  of  system  effectiveness.  This 
measure  will  provide  management  with  a  useful  tool  for 
determining : 

(1)  The  quantity  and  types  of  equipment  required  in  K 

a  system. 

(2)  The  required  number  of  repair  crews. 

(3)  The  required  number  of  spare  parts. 

(4)  The  system  effectiveness  predicted  and  measured. 


Acknowledgement 

The  writer  wishes  to  acknowledge  that  the  technical  concepts 
presented  here  we re” presented  at  an  EIA  (Electronic  Industries 
Association)  M-5.3  Subcommittee  meeting.  Additional  technical 
inputs  were  made  by  various  members  of  the  Reliability  Assurance 
Department  of  Sylvania  Electronic  Systems. 


Prepared  by:  I.  Bosinoff 

Sylvania  Electronic  Systems 
30  January  1964 


414 


BIBLIOGRAPHY 


ARINC'  Research  Corp.,  Semiconductor  Reliability  -  Final 

Report,  G.  J.  Blakemore,  Jr.,  et  al.,  ARINC  Research 
Publication  No.  239-01-4-383,  Contract  NObsr-87664, 

31  July  1963. 

U.  S.  Naval  Ordnance  Lab.,  Bureau  of  Naval  Weapons 

Failure  Rate  Data  Handbook,  Corona,  California, 

FARADA  -  Handbook  SP-53-470,  Vol.  3,  1  June  1962, 
(Revised  through  1  March  1964). 

Bureau  of  Ships  Reliability  Design  Handbook,  NavShips 
94501,  29  March  1963. 

Reliability  Stress  and  Failure  Rate  Data  for  Electronic 

Equipment  Military  Standardization  Handbook  No.  217, 

RADC  Reliability  Notebook,  RADC  No.  TR-58-lll,  OTS  Nos. 
PB-l6lb94,  Basic,  October  1959;  PB-l6l894-2, 

Rev.  2,  December  1961;  PB-l6l894-3,  Rev.  3, 

January  1963. 

Martin-Marietta,  Reliability  Analysis  Guide,  Martin 
Report  No.  ER-12205,  December  1961. 

AVCO  Corp.,  Reliability  Engineering  Data  Series,  "Relia¬ 
bility  Physics,  "  March  1962;  ^Failure  Rate,"  April 
1962;  "Failure  Criteria,"  March  1962;  "Failure 
Mechanisms,"  April  1962;  "Reliability  in  Space  - 
Environment,"  January  1963,  Wilmington,  Massachusetts 

ASTRO  Reliability  Corp.,  Reliability  Assessment  Handbook, 

5  January  1963. 

ARINC  Research  Corp. ,  Reliability  Theory  and  Practice, 

Chapter  9,  "Fundamentals . of  Reliability  Prediction," 
ARINC  Research  Publication  No.  191-1-335,  1962. 

Vitro  Lab.,  Reliability  Analysis  and  Prediction  Techniques 
Vitro  Tech.  Note  1582.01-2,  11  February  1963. 

EIA  Engineering  Dept.  (M-5.2  Publication),  Component  Parts 
'Failure  Data  Compendium,  Reliability  Bulletin  No.  34 
December  1962. 


Federal  Electric  Corp.',  System  Reliability  Prediction 
by  Function,  R.  Tommaney,  RADC  Document  No.  RADC 
TDR-63-145,  DDC  No.  AD  406191,  RADC  Contract 
No.  AF  30(602) -2687,  May  1963. 

ARINC  Research  Corp.,  System  Reliability  Prediction  by 
Function,  Vol.  1,  "Development  of  Prediction  Tech¬ 
niques,  11 '  R*.""R:  Jeffers,  H.  S.  Balaban,  ARINC  Research 
Publication  No.  241-01-1-375,  RADC  Document  No. 
TDR-63-300,  DDC  No.  AD  416494,  RADC  Contract  No. 

AF  30(602) -2838,  27  May  1963. 

Lockheed  Georgia  Co.,  Reliability  Reports,  C-130A  (period 
of  January  '.96 1  -  December  1962) C  -130B  (report 
period  of  -January  1961  -  August  1963);  C-130E  (report 
period -c.  April  1962  -  July  1963),  Operations  Relia¬ 
bility  and  Maintainability  Summary,  Marietta,  Georgia. 

Vitro  Corp. ,  Handbook  for  the  Prediction  of  Shipboard  and 
Shore  Electronic  Equipment  Reliability,  Vitro  Tech. 
Report  No.  133,  NavShips  Contract  93820,  April  1961. 

ARINC  Research  Corp. ,  Prediction  of  Field  Reliability  for 

Airborne  Electronic  Systems,  H.  Balaban  and  A.  Drummond, 
ARINC  Research  Publication  No.  203-1-3^,  Contract 
No:  AF  33t657)-7382,  31  December  1962. 

RCA  Service  Co.,  Maintainability  Technique  Study,  Final 
Tech.  Report,  Phase  V,  Vol.  I,  RADC  Document  No. 
RADC-TDR-63-85,  DDC  No.  AD  404899,  Contract  No. 

AF  30(602 ) -2057,  5  February  1963. 

RCA  Service  Co.,  Maintainability  Engineering,  Phase  V, 

Vol.  II.  RADC  Document  No.  RADC-TDR-op-85,  DDC  No. 

AD  404898,  RADC  Contract  No.  AF  30(602)-2057, 

5  February  1963. 

RCA  Service  Co.,  Maintainability  Measurement  and  Prediction 
Methods  for  AF  Ground  Electronic  Equipment,  Field  Data 
Collection,  Phase  II,  DDC  No.  AD  247155,  Contract  No. 

AF  30(602 )-2057,  15  September  i960. 

Aerospace  Maintenance  and  Operational  Status  (AMOS)  Summary, 
An  AFLC  reporting  system  requiring  monthly  reports 
from  AFLC  Air  Materials  Areas  (AMA's)  which  includes 
mean-time-between-maintenanc-e  (MTBM)  and  time-to- 
repa.ir  information  obtained  from  AFM  66rl  data. 


416 


Autonetics,  Div.  of  North  American  Aviation,  Minuteman 
Standard  Parts  Handbook  (WS-133A  and  B) ,  Revision 
C,  Publication  No.  550-X-38,  Contract  AF  04(647) -923 
for  WS-133A  and  Contract  AP  04(694) -247  for  WS-133B, 

5  April  1963. 

Martin  Co . ,  System  Maintainability  Measurement  Study, 

Weapon  System  1Q7C,  Titan  II,  Vol.  IV,  H.  G.  Madderia 
et  al . ,  Martin  Document  No.  CR  63-155,  Contract  No. 

AF  04 (647) -576,  August  1963. 

Astro  Reliability  Corp.,  Astro  Reliability  Handbook, 

RD  101,  AF  Prime  Contract  AF  04(694)-l,  Subcontract 
No.  56-204-SC,  17  July  1961. 

Aerospace  Corp.,  Survey  of  Component  Part  Failure  Rates, 
Aerospace  Report  1923-1-69 « 

American  Power  Jet  Co.,  Electromechanical  Component 

Reliability,  G.  Chernowitz,  et  al. ,  RADC  Document 
.  No.  TDR-63-295.,  DDC  No.  AD  422327,  RADC  Contract 
No.  AF  30(602) -2652,  May  1963. 

American  Power  Jet  Co.,  Reliability  Prediction  for 

Mechanical  and  Electromechanical  Parts,  G.  Chernowitz 
et  al.,'  RADC  Document  No.  TDR-6?P50,  RADC  Contract 
No.  AF  30(602) -2991,  January  1964. 


DIP  TRILL)  riON"  LIST 


Each  W3EIAC  Member 

3 

AFETR 

3 

— 

AFW-lft" - ... 

3 

HQ  USAF 

» 

AFSI  J 

5 

ECMR 

AF°RQ 

5 

REE 

5 

Ai'SLP 

2 

REQ 

5 

AFSME 

2 

CCMR 

AFOXP 

2 

RCE 

5 

AFRDC 

2 

RC.Q 

5 

Dap  TIG  USAF 

5 

WCMR 

A  "'RDP 

2 

RWE 

5 

RWQ 

5 

SAC  (OAOC) 

25 

ADC  (A.OMDC) 

25 

RTD  (RTbp  ' 

2 

TAC  (DMEMP/Maj  J.  Trent) 

50 

RADC  (EM^  T) 

30 

AFCS  (CSSME/Col.  Glettler) 

10 

SEG  (SENPQ 

40 

CONAC  (MME/Lt.  Col. 

10 

RTD  (Det  iiik 

5 

J.  J.  Hart ;ngton) 

AFWL  (WLP? 

e 

ATC  (ATTAP) 

15 

AFRPL  (RPRP 

c 

~f 

AFLC  (MCMCE) 

75 

AU  (Library) 

1 

AFSWC  (SWTOI- 

5 

Air  Force  Academy 

2 

AEDC  (AEL)  \ 

5 

AFIT  (SE) 

5 

AFMDC  (MDOPT)L 

5 

AFIT  (3L) 

100 

AFFTC  (FTTE)  \ 

5 

HQ  AF  Systems  Command 

-  50 

APGC  (PGVEC)  ^ 

* 

5 

ASD  (ASAPD/Mr.  OverDe) 

150 

DOD  (DDR&E/Mr..  Nuc\  i 

50 

BSD  (BSOC) 

50 

\ 

SSD  (SSSIR) 

50 

Department  of  the  Army  \ 

3 

ESD  (ESTE) 

50 

OCRD  (CRD/L)  \ 

FTD  (TDE-1) 

5 

Wash.  ,  D.  C. 

\ 

AMD  (AMRO) 

10 

\ 

Department  of  the  Army 

5\ 

NRD 

OCRD  (CRD/Q) 

\ 

SCGRS 

1 

Wash.  ,  D.  C. 

SCGRP 

1 

NRD  (Det  #1) 

Office  of  Assistant 

3 

NRS 

6 

Secretary  of  the  Army 

NRP 

2 

Research  and  Development 

Attn:  Mr.  C.  W.  Woodside 

Wash.  ,  D.  C. 

' '  'ix 


^rmy  M*\t 

(AMcrd-ga 

Wash  ,  D.  C. 


C^inbi1. t  Developmei 

(CBC-’vlR/Col.  R.  J.  K. 

Bslvoir,  Va. 

C^O  ( OP- 701) 

ONM  (MAT- 325)  2 

Bt;SH..P3  (Code  100 -X) 

BXJWEPS  (Code  C) 

ONR  (Code  400) 

Commandant,  Marine  Corps 

I'JASA  (Ccc  KR.) 

National  War  College  (Library) 

Industrial.  College  of  the  Armed 
Forces  (Library) 

Dei\n  e  Management  Senior  SPO  5 
School  (Col.  Harris) 

XJ.  S.  Army  Management 

Eng  nee ring  Training  Agency 
(Rock  JU;land  Arsenal) 


